If the webserver is not chrooted or otherwise protected from escaping a directory all files on the system will be potentially readable by an attacker (providing the user the webserver runs as has read permissions) i.e. http://<Forum_URL>avatar.php?img=3D../../../../../etc/passwd David Woods Solidhouse http://www.solidhouse.com On Sat, 12 Oct 2002 15:29:48 +0200 scrap <webmaster@securiteinfo.com> wrote: > CoolForum v 0.5 beta shows content of PHP files > The original document can be found at > http://www.securiteinfo.com/attaques/hacking/coolforum0_5.shtml > > > .oO Overview Oo. > CoolForum v 0.5 beta shows PHP content files > Discovered on 2002, September, 16th > Vendor: http://www.coolforum.net > > CoolForum v 0.5 is a PHP forum. This forum can show content of PHP files. > > > .oO Details Oo. > This forum contains a file named "avatar.php". This file can show an > image stored in the "logos" directory. Here is the source file of avatar.php : > > <? header('Pragma: no-cache'); > if (ereg(".jpg",$img)) > header("Content-Type: image/jpeg"); > else if (ereg(".gif",$img)) > header("Content-Type: image/gif"); > header('Expires: 0'); > > $fichier=3D"logos/$img"; > > $fp=3Dfopen($fichier,"r"); > $image=3Dfread($fp,filesize($fichier)); > fclose($fp); > > echo($image); > ?> > > What this file do ? It's simple : It takes the name of the file as argument, > read it fully, and send back the content to your browser. > The security flaw is that *any* file, in or *out* the logos directory can be > show, bypassing *any* protected directories... > > > .oO Exploit Oo. > The exploit is really easy. The aim is to read the "connect.php" file in the > "secret" directory. "connect.php" contains the informations about the > database connection and "secret" directory is protected by a .htaccess file. > You can do the exploit with any browser by using this syntax : > http://<Forum_URL>avatar.php?img=3D../secret/connect.php > Of course, replace <Forum_URL> by the vulnerable server. > You will get a blank page. If you edit the source of this web page, you'll > get the jackpot... > > > .oO Solution Oo. > The vendor has been informed and has solved the problem. > Download CoolForum 0.5.1 or newer at : > http://www.coolforum.net/index.php?p=dlcoolforum > > > > .oO Discovered by Oo. > Arnaud Jacques aka scrap > webmaster@securiteinfo.com > http://www.securiteinfo.com > >