[VulnWatch] CoolForum v 0.5 beta shows content of PHP files

From: scrap (webmaster@securiteinfo.com)
Date: 10/01/02

• Previous message: David Endler: "[VulnWatch] iDEFENSE Security Advisory 10.01.02: Sendmail smrsh bypass vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: scrap <webmaster@securiteinfo.com>
To: bugtraq@securityfocus.com
Date: Tue, 1 Oct 2002 23:18:28 +0200

CoolForum v 0.5 beta shows content of PHP files
The original document can be found at
http://www.securiteinfo.com/attaques/hacking/coolforum0_5.shtml

.oO Overview Oo.
CoolForum v 0.5 beta shows PHP content files
Discovered on 2002, September, 16th
Vendor: http://www.coolforum.net

CoolForum v 0.5 is a PHP forum. This forum can show content of PHP files.

.oO Details Oo.
This forum contains a file named "avatar.php". This file can show an image
stored in the "logos" directory. Here is the source file of avatar.php :

<? header('Pragma: no-cache');
if (ereg(".jpg",$img))
   header("Content-Type: image/jpeg");
else if (ereg(".gif",$img))
   header("Content-Type: image/gif");
header('Expires: 0');

$fichier="logos/$img";

$fp=fopen($fichier,"r");
$image=fread($fp,filesize($fichier));
fclose($fp);

echo($image);
?>

What this file do ? It's simple : It takes the name of the file as argument,
read it fully, and send back the content to your browser.
The security flaw is that *any* file, in or *out* the logos directory can be
show, bypassing *any* protected directories...

.oO Exploit Oo.
The exploit is really easy. The aim is to read the "connect.php" file in the
"secret" directory. "connect.php" contains the informations about the
database connection and "secret" directory is protected by a .htaccess file.
You can do the exploit with any browser by using this syntax :
http://>avatar.php?img=../secret/connect.php
Of course, replace <Forum_URL> by the vulnerable server.
You will get a blank page. If you edit the source of this web page, you'll
get the jackpot...

.oO Solution Oo.
The vendor has been informed and has solved the problem.
Download CoolForum 0.5.1 or lastest at :
http://www.coolforum.net/index.php?p=dlcoolforum

.oO Discovered by Oo.
Arnaud Jacques aka scrap
webmaster@securiteinfo.com
http://www.securiteinfo.com

---

• Previous message: David Endler: "[VulnWatch] iDEFENSE Security Advisory 10.01.02: Sendmail smrsh bypass vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages CoolForum v 0.5 beta shows content of PHP files ... CoolForum v 0.5 beta shows content of PHP files ... This forum can show content of PHP files. ... (Bugtraq) Re: CoolForum v 0.5 beta shows content of PHP files ... If the webserver is not chrooted or otherwise protected from escaping a directory all files on the system will be potentially readable by an attacker ... > CoolForum v 0.5 beta shows content of PHP files ... This forum can show content of PHP files. ... (Bugtraq)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > VulnWatch  > 2002-10