iSite 1.0 bug

2003-05-15T00:00:00
ID SECURITYVULNS:DOC:4532
Type securityvulns
Reporter Securityvulns
Modified 2003-05-15T00:00:00

Description

Hi, vuln,

#### security team ### ###

### #################### ###

### ### ### #### ## ###

#### ### ## #######

### ### ### ## ## ###

### ## ### ####### ## ###

## ## ## #### ###
######## www.rst.bb1.ru

RusH security team

#######################################

--= Advisory #7 =--

Product: iSite 1.0

http://scripts.igray.ru

Vuln: Viewing any .txt file on server

Bug found: 11.05.2003 by 1dt.w0lf

About programm

iSite - script for create and update little site without using SQL.

About bug

Bug found in file index.php code:

[ scip ] if (isset($topic)) { $df = $topic."/".$page.".txt"; $fp = fopen($df, "r"); [ scip ]

$topic and $page not filtered in this file and we can modify this for viewing any .txt files on server...

http://www.victim.com/isite/index.php?topic=..&page=file_name

$df = ../file_name.txt

with this url we can view file_name.txt file

don't forget about slash in code, if you want to view file in isite directory you need use this url:

http://www.victim.com/isite/index.php?topic=../isite&page=file_name

$df = ../isite/file_name.txt ^ this slash

if you dont use any path in $topic

http://www.victim.com/isite/index.php?page=file_name

you can't view .txt files!!!

[ scip ]

if (isset($topic)) { $df = $topic."/".$page.".txt"; $fp = fopen($df, "r");

[ scip ]

} else { \ include ("news.txt"); > <--- !!! don't forget use $topic } /

############################

with best regards, 1dt.w0lf
mailto: idtwolf@sigaret.net

RusH security team web: http://www.rst.bb1.ru

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com

mQGiBD6wRjYRBADTk4NykNAy1YO4PtEUJjssCGGm/oEPB9AI5G32tvNDGC8HRxFW l+sDOhPPGcJV9CdG7ck2znPIKysPHhwkdhs6e7cJB1j6PPMiI6N5CLbf8CpABDbk tpgTUjTBqqRapCSk8+IABTcq8eWdhbAJwSuBNs5MFFNp0k+sp1SSJQJmlQCg/zVm T56aY+QDgKPhu+tFZAfRnOMD/0W7F6/rlBM0uyUgFnSLukoPjkzk2tU6KPkeoZIW hzKxacILQj6Gy7iLUMWQqJ9Iq0gKcbTmq573tPcoXejO11Lm1W2Nr1rue/1ylrbd 2pvYWOXFXdm0EHn0ZZLIxp5gvK3Z/l/tkNuv/4XgtzPFQQIZwWqpOX/dd2V/EsWj POgVA/4ietpltV0mPhqT9rL5kmEOBQjqyxgxyTuu5PfR29wTipKM4/8SbVdtZXbv bQU0/yPDCZXDLQkKvAPtLO2Xih9nVFFFVCUf5shV7vtJB4/T62EoJjxfqZOssJYF xgnjG6YT8Wm/Wt7DzFlfxFXOfM8FXcfRXVYpNobfFonJolcAsLQWMWR0LncwbGYg PHJ1c2hAYmIxLnJ1PokAVwQQEQIAFwUCPrBGNgcLCQgHAwIKAhkBBRsDAAAAAAoJ ED9okAKTjIn1eYoAoM96ZzGC1H6ogUqATS6ZQe+SV7spAJ96d+GRFKCRTyFFM4YO pXQVFNay47kCDQQ+sEY2EAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDa AadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z 4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBY K+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WM uF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmW n6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAgf8DUjqWaYyM2Ll WlHLEU8oY00VgZrSG9CLEI6BDx8nmlNmEVwzzkWQbYtmp+l1bBclM/dqlEQTyjU0 BXZzZvZFPEnxn9TxqZRq8pGSRmBwMyNTyeVLl8X/YLjbnNUYLd1al6LatHS34RP4 I9EKVfUZMYZ/uePa0/D28BIKNdd9YMi58itCM5k0GUHok8FBcqh4Oh6dZpbGzjdK c9MSdUbGVGjjdndBIrxl880QQwQtd9hLK6ELJM5FMqoLVgvqBFkbv0KyUPQgty4r vTp2itKhQY+B2oSu3K+fSDFHYgBu9Zz46wp6sfo6mpGgWRyScXaccZfpI8pkQZxb 0ZjQ+kubUYkATAQYEQIADAUCPrBGNgUbDAAAAAAKCRA/aJACk4yJ9Q9dAJ9B6aAx D+SFspnhzRu71JT4RbpBtwCglS2Q+xNzN/gz7KCtvAlAYxoiMmQ= =y7+x -----END PGP PUBLIC KEY BLOCK-----