Re: CoolForum v 0.5 beta shows content of PHP files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

If the webserver is not chrooted or otherwise protected from escaping a directory all files on the system will be potentially readable by an attacker (providing the user the webserver runs as has read permissions)

i.e.
http://<Forum_URL>avatar.php?img=3D../../../../../etc/passwd

David Woods
Solidhouse
http://www.solidhouse.com

On Sat, 12 Oct 2002 15:29:48 +0200
scrap <webmaster@securiteinfo.com> wrote:

> CoolForum v 0.5 beta shows content of PHP files
> The original document can be found at
> http://www.securiteinfo.com/attaques/hacking/coolforum0_5.shtml
> 
> 
> .oO  Overview Oo.
> CoolForum v 0.5 beta shows PHP content files
> Discovered on 2002, September, 16th
> Vendor: http://www.coolforum.net
> 
> CoolForum v 0.5 is a PHP forum. This forum can show content of PHP files.
> 
> 
> .oO  Details Oo.
> This forum contains a file named "avatar.php". This file can show an
> image stored in the "logos" directory. Here is the source file of avatar.php :
> 
> <? header('Pragma: no-cache');
> if (ereg(".jpg",$img))
>    header("Content-Type: image/jpeg");
> else if (ereg(".gif",$img))
>    header("Content-Type: image/gif");
> header('Expires: 0');
> 
> $fichier=3D"logos/$img";
> 
> $fp=3Dfopen($fichier,"r");
> $image=3Dfread($fp,filesize($fichier));
> fclose($fp);
> 
> echo($image);
> ?>
> 
> What this file do ? It's simple : It takes the name of the file as argument,
> read it fully, and send back the content to your browser.
> The security flaw is that *any* file, in or *out* the logos directory can be
> show, bypassing *any* protected directories...
> 
> 
> .oO  Exploit Oo.
> The exploit is really easy. The aim is to read the "connect.php" file in the
> "secret" directory. "connect.php" contains the informations about the
> database connection and "secret" directory is protected by a .htaccess file.
> You can do the exploit with any browser by using this syntax :
> http://<Forum_URL>avatar.php?img=3D../secret/connect.php
> Of course, replace <Forum_URL> by the vulnerable server.
> You will get a blank page. If you edit the source of this web page, you'll
> get the jackpot...
> 
> 
> .oO  Solution Oo.
> The vendor has been informed and has solved the problem.
> Download CoolForum 0.5.1 or newer at :
> http://www.coolforum.net/index.php?p=dlcoolforum
> 
> 
> 
> .oO  Discovered by Oo.
> Arnaud Jacques aka scrap
> webmaster@securiteinfo.com
> http://www.securiteinfo.com
> 
>
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux