[VIM] false: DotClear v1.2.5

Brent Graveland brentg at securityfocus.com
Sat Feb 17 16:44:43 EST 2007 

The download links is for the wrong app, but dotclear 1.2.5 is pretty  
clearly the app being talked about.

index.php includes:

# Chemin vers la racine de l'application (si vous changer le fichier  
de place)
$app_path = '/';

# Si par exemple vous mettez blog.php <E0> la racine de votre site et  
que DotClear
# se trouve dans /dotclear vous pouvez d<E9>commenter cette ligne :
//$app_path = '/dotclear/';

# NE RIEN CHANGER APRES CETTE LIGNE

$blog_file_path = __FILE__;
$blog_dc_path = dirname(__FILE__).$app_path;

require $blog_dc_path.'/layout/prepend.php';

<a bunch of unimportant stuff>

	include $dc_template_file;

require $blog_dc_path.'/layout/append.php';



1. blog_dc_path is clearly defined
2. $dc_template_file is defined in layout/prepend.php, built from the  
previously-defined $blog_dc_path
3. prepend.php includes a bunch of stuff using dirname(__FILE__) -  
none of those files include/require other files
3. append.php only closes a filehandle.


index.php?blog_dc_path isn't an issue, and it doesn't look like other  
variables aren't either.


Begin forwarded message:

> From: k4rtal at gmail.com
> Date: 17 February , 2007 02:59:07 MST (CA)
> To: bugtraq at securityfocus.com
> Subject: DotClear v1.2.5
> Message-Id: <20070217095907.30235.qmail at securityfocus.com>
>
> #################################################################
>
> #
> #DotClear v1.2.5  < = RFi Vulnerabilities ( KaRTaL )
> #
> #Download : http://www.spacemarc.it/scriptphp/index.php? 
> script=meganoidesnews111
> #
> #Script Name : DotClear v1.2.5
> #
> #
> #################################################################
>
> #
> #
> #Coded By : KaRTaL
> #
> #
> #Contact : k4rtal[at]gmail[dot]com
> #
> #
> #################################################################
>
> #
> #
> #V.Code in : [path]/index.php
> #
> #
> #          require $blog_dc_path.'/layout/append.php';
> #
> #
> #Exploit : www.target.com/path/index.php?blog_dc_path=[shell]
> #
> #
> #################################################################
>
> #
> #
> #
> #Gretz : Doublekickx , D3ngsz , ERNE , DermanTurK , M3rhametsiz ,  
> CaCa , Gurkan142 , www.istikla-team.org
> #
> #
> #
> #
> #################################################################
>


--
Brent Graveland
brentg at securityfocus.com



-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://www.attrition.org/pipermail/vim/attachments/20070217/717c03d9/attachment-0001.bin

More information about the VIM mailing list