Société de Sécurité Informatique - Audit Firewall Appliance
La sécurité informatique - La sécurité des informations

CoolForum v 0.5 beta shows content of PHP files


Envoyer cet article par Email !Imprimer cet article !Exporter cet article en PDF !FacebookTwitterGoogle Bookmarks

Overview


CoolForum v 0.5 beta shows PHP content files
Discovered on 2002, September, 16th
Vendor: Cool Forum

CoolForum v 0.5 is a PHP forum. This forum can show content of PHP files.

Risk


Exploit easiness
Vulnerability spreading
Impact
Risk

Details


This forum contains a file named "avatar.php". This file can show an image stored in the logos directory. Here is the source file of avatar.php :

<?header('Pragma: no-cache');
if (ereg(".jpg",$img))
   header("Content-Type: image/jpeg");
else if (ereg(".gif",$img))
   header("Content-Type: image/gif");
header('Expires: 0');

$fichier="logos/$img";

$fp=fopen($fichier,"r");
$image=fread($fp,filesize($fichier));
fclose($fp);

echo($image);
?>

What this file do ? It's simple : It takes the name of the file as argument, read it fully, and send back the content to your browser.
The security flaw is that any file, in or out the logos directory can be show, bypassing any protected directories...

Exploit


The exploit is really easy. The aim is to read the connect.php file in the secret directory.connect.php contains the informations about the database connection and secret directory is protected by a .htaccess file. You can do the exploit with any browser by using this syntax :

http://<Forum_URL>avatar.php?img=../secret/connect.php

Of course, replace <Forum_URL> by the vulnerable server.
You will get this page :


If you edit the source of the web page, you'll get the jackpot...


Solution


The vendor has been informed and has solved the problem.
Download CoolForum 0.5.1 or lastest

Discovered by


Arnaud Jacques aka scrap
webmaster@securiteinfo.com
http://www.securiteinfo.com

Ils nous font confiance
© 2014 - Tous droits réservés - SecuriteInfo.com