fosterghc.ru
Date: Wed Jul 04 2007 - 01:26:35 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[quote]
By Hasadya Raed
...
Script : SoftNews Media Group
...
Exploits:
http://www.Victim.com/engine/init.php?root_dir=[Shell-Attack]
http://www.Victim.com/engine/Ajax/editnews.php?root_dir=[Shell-Attack]
------------------------------------
By Hasadya Raed
[/quote]

fake, obviously

[quote]
Vulnerable: Softnews Media Group DataLife Engine 5.5
Softnews Media Group DataLife Engine 4.1
[/quote]

let's see as for DLE 5.5:
1) first php code lines in init.php:
if(!defined('DATALIFEENGINE'))

{

die("Hacking attempt!");

}

2) what about root_dir:

fosterfiber dle5.5 $ grep root_dir ./engine/init.php
fosterfiber dle5.5 $
No variable with 'root_dir' name...

fosterfiber dle5.5 $ grep -i root_dir ./engine/init.php
        if (is_dir(ROOT_DIR.'/templates/'.$category_skin))
        if (is_dir(ROOT_DIR.'/templates/'.$_REQUEST['skin_name']) AND $_REQUEST['skin_name'] != '')
        if (is_dir(ROOT_DIR.'/templates/'.$_COOKIE['dle_skin']))
     include_once ROOT_DIR.'/language/'.$config["lang_".$config['skin']].'/website.lng';
     include_once ROOT_DIR.'/language/'.$config['langs'].'/website.lng';
$tpl->dir = ROOT_DIR.'/templates/'.$config['skin'];
require_once ROOT_DIR.'/engine/engine.php';

ROOT_DIR - is defined constant, not variable. So, nobody can define it with GET query :)

The same for "engine/Ajax/editnews.php":

fosterfiber dle5.5 $ egrep -i root_dir engine/ajax/editnews.php
define('ROOT_DIR', '../..');
        if (is_dir(ROOT_DIR.'/templates/'.$_COOKIE['dle_skin']))
     include_once ROOT_DIR.'/language/'.$config["lang_".$config['skin']].'/website.lng';
     include_once ROOT_DIR.'/language/'.$config['langs'].'/website.lng';

Regards,

Foster [RST/GHC]

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]