COMMAND

	CoolForum shows content of PHP files

SYSTEMS AFFECTED

	CoolForum v 0.5 beta

PROBLEM

	Thanks  to  Arnaud  Jacques   aka   scrap   [webmaster@securiteinfo.com]
	[http://www.securiteinfo.com] kind post :
	

	 http://www.securiteinfo.com/attaques/hacking/coolforum0_5.shtml

	

	

	 .oO  Details Oo.

	

	This forum contains a file named "avatar.php". This  file  can  show  an
	image stored in the "logos"  directory.  Here  is  the  source  file  of
	avatar.php :
	

	<? header('Pragma: no-cache');

	if (ereg(".jpg",$img))

	header("Content-Type: image/jpeg");

	else if (ereg(".gif",$img))

	header("Content-Type: image/gif");

	header('Expires: 0');

	

	$fichier="logos/$img";

	

	$fp=fopen($fichier,"r");

	$image=fread($fp,filesize($fichier));

	fclose($fp);

	

	echo($image);

	?>

	

	What this file do ? It's simple : It takes  the  name  of  the  file  as
	argument, read it fully, and send back the content to your browser.  The
	security flaw is that *any* file, in or *out* the  logos  directory  can
	be show, bypassing *any* protected directories...
	

	

	 .oO  Exploit Oo.

	

	The exploit is really easy. The aim is to read  the  "connect.php"  file
	in the  "secret"  directory.  "connect.php"  contains  the  informations
	about the database connection and "secret" directory is protected  by  a
	.htaccess file. You can do the exploit with any browser  by  using  this
	syntax  :  http://<Forum_URL>avatar.php?img=../secret/connect.php  Of
	course, replace <Forum_URL> by the vulnerable server. You will get  a
	blank page. If you edit the source of this  web  page,  you'll  get  the
	jackpot...

SOLUTION

	 .oO  Solution Oo.

	

	The vendor has been  informed  and  has  solved  the  problem.  Download
	CoolForum 0.5.1 or lastest at :
	

	http://www.coolforum.net/index.php?p=dlcoolforum