Overview
CoolForum v 0.5 beta shows PHP content files
Discovered on 2002, September, 16th
Vendor:
Cool Forum
CoolForum v 0.5 is a PHP forum. This forum can show content of PHP files.
Risk
| Exploit easiness |
 |
| Vulnerability spreading |
 |
| Impact |
|
| Risk |
|
Details
This forum contains a file named "avatar.php". This file can show an image stored in the
logos directory. Here is the source file of avatar.php :
<?
header('Pragma: no-cache');
if (ereg(".jpg",$img))
header("Content-Type: image/jpeg");
else if (ereg(".gif",$img))
header("Content-Type: image/gif");
header('Expires: 0');
$fichier="logos/$img";
$fp=fopen($fichier,"r");
$image=fread($fp,filesize($fichier));
fclose($fp);
echo($image);
?>
What this file do ? It's simple : It takes the name of the file as argument, read it fully, and send back the content to your browser.
The security flaw is that
any file, in or
out the logos directory can be show, bypassing any protected directories...
Exploit
The exploit is really easy. The aim is to read the
connect.php file in the
secret directory.
connect.php contains the informations about the database connection and
secret directory is protected by a
.htaccess file. You can do the exploit with any browser by using this syntax :
http://<Forum_URL>avatar.php?img=../secret/connect.php
Of course, replace <Forum_URL> by the vulnerable server.
You will get this page :
If you edit the source of the web page, you'll get the jackpot...
Solution
The vendor has been informed and has solved the problem.
Download CoolForum 0.5.1 or lastest
Discovered by
Arnaud Jacques aka scrap
webmaster@securiteinfo.com
Tags
RECHERCHE DE VULNERABILITÉS
FUITE D'INFORMATIONS
SITE WEB
Inscription à notre lettre d'information
Inscrivez-vous à notre
lettre d'information pour vous tenir au courant de nos actualités et de nos dernières trouvailles.
