Vulnerability

    PHPSlash

Affected

    PHPSlash 0.6.1

Description

    Tobozo Tagada  found following.   Url block  type can  access  the
    filesystem when  a path  is specified  by the  administrator.  The
    method used in Block_render_url.class  does not check if  the $url
    variable contains a valid url scheme.

    No parsing is  really done to  check integrity of  the url scheme,
    neither the content of the url and file name.

    If a path to a file is specified (ex : /etc/passwd), the file will
    be read and its content stored  in the cache exactly as if  it was
    a remote file on a given url.

    Exploit:

        Login as admin with GOD permissions
        Access the BLOCKS admin section
        (blockAdmin.php3) and
        create a new block with the following information :

        Title : notTrusted
        Type : url
        Site Location : whatever
        Source URL : ./config.php3
        Expire Length : 0
        Owned by section : home
        Data : (empty)
        Order number : whatever

    It will  display the  content of  the config.php3  as text  in the
    block  of  the   main  page.    It  might  become   an  issue   if
    blockAdmin.php3  gives  add/edit/remove  permission  to some users
    that are not supposed to access the filesystem.

Solution

    Replace the function parse() in the Block_render_url.class to  use
    parse_url()  and  a  regex  before  sending  $url  to  the  file()
    function.