From theall at tenablesecurity.com Thu Jun 10 09:06:01 2010 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 10 Jun 2010 10:06:01 -0400 Subject: [VIM] PHprojekt Module CMS 0.6.1 Remote File Inclusion Vulnerability Message-ID: <1F87B481-B3E8-4192-9516-02721D103CB0@tenablesecurity.com> FYI: Exploit DB 12854 / Bugtraq 40545 concern a remote file include in Content Management module for Phprojekt version 0.6.1, involving the 'path_pre=' parameter of the 'cm/cm_navigation.inc.php'. This is a duplicate of Bugtraq 19628 (see ). [cm_navigation.inc.php doesn't exist in the application's root directory, only under 'cm/'.] And for what it's worth, exploitation requires that register_globals be enabled; eg, 2002-2005 by Mario A. Valdez-Ramirez // http://www.mariovaldez.net/ ... [comments removed, GAT] include_once ($path_pre . "cm/cm_lib.inc.php"); George -- theall at tenablesecurity.com From theall at tenablesecurity.com Thu Jun 10 09:22:08 2010 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 10 Jun 2010 10:22:08 -0400 Subject: [VIM] phpGraphy Message-ID: <811BD6FA-415B-4791-9FA8-BBF5EFEDCFF8@tenablesecurity.com> Bugtraq 40506 covers a remote file include vulnerability in phpGraphy version 0.9.13b. [I believe Exploit DB 12837 covered it as well but that no longer exists now.] The BID shows the following PoC: http://www.example.com/phpgraphy-0.9.13b/base/misc/mysql_cleanup.php?include_path= [SHELLCODE] Looking at the source of the supposedly affected file in version 0.9.13b, though, you can see this is completely bogus:
   
References: <1F87B481-B3E8-4192-9516-02721D103CB0@tenablesecurity.com>
Message-ID: <4C110A66.9040408@securityfocus.com>

Thanks George.

We've retired BID 40545 as a duplicate.

Cheers,
Rob

George A. Theall wrote:
> FYI: Exploit DB 12854 / Bugtraq 40545 concern a remote file include in
> Content Management module for Phprojekt version 0.6.1, involving the
> 'path_pre=' parameter of the 'cm/cm_navigation.inc.php'.  This is a
> duplicate of Bugtraq 19628 (see
> ).
> [cm_navigation.inc.php doesn't exist in the application's root
> directory, only under 'cm/'.] And for what it's worth, exploitation
> requires that register_globals be enabled; eg,
> 
>      // Content Management System module for PHProjekt (CMS4P).
>   // Copyright 2002-2005 by Mario A. Valdez-Ramirez
>   // http://www.mariovaldez.net/
>   ...  [comments removed, GAT]
> 
>   include_once ($path_pre . "cm/cm_lib.inc.php");
> 
> 
> George


From rkeith at securityfocus.com  Thu Jun 10 10:54:11 2010
From: rkeith at securityfocus.com (rkeith)
Date: Thu, 10 Jun 2010 09:54:11 -0600
Subject: [VIM] phpGraphy
In-Reply-To: <811BD6FA-415B-4791-9FA8-BBF5EFEDCFF8@tenablesecurity.com>
References: <811BD6FA-415B-4791-9FA8-BBF5EFEDCFF8@tenablesecurity.com>
Message-ID: <4C110AA3.6050805@securityfocus.com>

Thanks again George.

This BID has been retired.

Cheers,
Rob

George A. Theall wrote:
> Bugtraq 40506 covers a remote file include vulnerability in phpGraphy
> version 0.9.13b. [I believe Exploit DB 12837 covered it as well but that
> no longer exists now.]  The BID shows the following PoC:
> 
>  
> http://www.example.com/phpgraphy-0.9.13b/base/misc/mysql_cleanup.php?include_path=[SHELLCODE]
> 
> 
> Looking at the source of the supposedly affected file in version
> 0.9.13b, though, you can see this is completely bogus:
> 
>   
>   
>      ...
>   // COMMENT OUT THE FOLLOWING LINE TO RUN THE SCRIPT //
>   die("This is a protection to avoid others people to run this script,
> to run it, you need to edit the file and remove the line with this text");
> 
>   // Include path to change if you've moved the script from its original
> location
>   $include_path="../";
> 
>   // You shouldn't need to edit anything below
> 
>   if (is_file($include_path."config.inc.php")) include_once
> $include_path."config.inc.php"; else die("Could not find config.inc.php,
> please modify include_path in the header section ");
>   if (is_file($include_path."include/db_mysql.inc.php")) include_once
> $include_path."include/db_mysql.inc.php"; else die("Could not find
> db_mysql.inc.php, please modify the include_path in the header section");
> 
> Even if an admin commented out the initial 'die()', '$include_path' is
> hardcoded, and, the first 'include_once()' call includes
> '$include_path/config.inc.php', which doesn't exist because the config
> file is actually stored in '../../conf' and is named 'config.ini.php' so
> the script will stop executing without ever trying to include a function.
> 
> George

From theall at tenablesecurity.com  Thu Jun 17 15:31:57 2010
From: theall at tenablesecurity.com (George A. Theall)
Date: Thu, 17 Jun 2010 16:31:57 -0400
Subject: [VIM] PenPals Authentication Bypass
Message-ID: <8C4D39D6-EF06-4326-A2CE-531E853E8C4E@tenablesecurity.com>

Exploit DB 13901 / Bugtraq 40925 looks like a dup of milw0rm 8107 /  
Bugtraq 33907. Anyone else notice?

George
-- 
theall at tenablesecurity.com




From rkeith at securityfocus.com  Thu Jun 17 15:40:16 2010
From: rkeith at securityfocus.com (rkeith)
Date: Thu, 17 Jun 2010 14:40:16 -0600
Subject: [VIM] PenPals Authentication Bypass
In-Reply-To: <8C4D39D6-EF06-4326-A2CE-531E853E8C4E@tenablesecurity.com>
References: <8C4D39D6-EF06-4326-A2CE-531E853E8C4E@tenablesecurity.com>
Message-ID: <4C1A8830.2010409@securityfocus.com>

Yep indeed George, thanks.

We'll be retiring the new BID shortly.

-Rob

George A. Theall wrote:
> Exploit DB 13901 / Bugtraq 40925 looks like a dup of milw0rm 8107 /
> Bugtraq 33907. Anyone else notice?
> 
> George

-- 
Rob Keith
Symantec

From theall at tenablesecurity.com  Wed Jun 23 13:55:01 2010
From: theall at tenablesecurity.com (George A. Theall)
Date: Wed, 23 Jun 2010 14:55:01 -0400
Subject: [VIM] BID 40546 vs 41073
Message-ID: <357B6164-6B5F-45F8-9CF4-D847FAD74EB1@tenablesecurity.com>

Can someone explain the differences between BID 40546 and 41073? The  
former covers a remote file include in phpBazar involving the 'cat'  
parameter of the 'picturelib.php' script; the latter covers a  
directory traversal vulnerability in the phpBazarPicLib plugin for  
phpBazar involving the 'cat' parameter. The earlier BID gives a PoC  
that's the same as Exploit DB 12855, but I don't see any source for  
the latter BID. They seem like the same issue, though.


George
-- 
theall at tenablesecurity.com




From coley at linus.mitre.org  Fri Jun 25 15:17:51 2010
From: coley at linus.mitre.org (Steven M. Christey)
Date: Fri, 25 Jun 2010 16:17:51 -0400 (EDT)
Subject: [VIM] some discrepancies: Linker IMG <=1.0 RFI
Message-ID: 


EXPLOIT-DB:13964
Researcher: Sn!pEr.S!Te Hacker


This is claimed to be RFI, but source inspection suggests that it is at 
best LFI.

   ...
   include ("./function/base_info.php");
   include ("./function/main_func.php");
   include ("./function/$Sdb_type.php");
   ...
   if ($lan_dir && file_exists("./$lan_dir/u_common.php"))
     include ("./$lan_dir/u_common.php");
   else include ("./$Slang/u_common.php");

First of all, the demo URL says "$lan_dir=[RFI]" but clearly $lan_dir is 
processed by the cook_lan cookie (VUPEN already noticed this, which 
prompted my investigation).

The include() is clearly only susceptible to LFI.

The "./function/$Sdb_type.php" include statement is presumably the source 
of the "Sdb_type=[RFI]" vector claimed by the researcher, but my casual 
source inspection suggests that $Sdb_type is probably set in an executable 
config file that is generated on installation.

By the way, the $Slang vector above also seems to be a hard-coded config 
value.

- Steve

From jericho at attrition.org  Sun Jun 27 19:31:10 2010
From: jericho at attrition.org (security curmudgeon)
Date: Sun, 27 Jun 2010 19:31:10 -0500 (CDT)
Subject: [VIM] MultiShop CMS (CVE-2010-2139) dispute
Message-ID: 


Anonymous comment on the OSVDB entry:

http://osvdb.org/show/osvdb/64936

This script does not have security injection issues and is safe. the 
pages.php is not form and 0 input. There is no way to inject