Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: etc :: web5732.htm

CoolForum shows content of PHP files
4th Oct 2002 [SBWID-5732]

	CoolForum shows content of PHP files


	CoolForum v 0.5 beta


	Thanks  to  Arnaud  Jacques   aka   scrap   []
	[] kind post :



	 .oO  Details Oo.


	This forum contains a file named "avatar.php". This  file  can  show  an
	image stored in the "logos"  directory.  Here  is  the  source  file  of
	avatar.php :

	<? header('Pragma: no-cache');

	if (ereg(".jpg",$img))

	header("Content-Type: image/jpeg");

	else if (ereg(".gif",$img))

	header("Content-Type: image/gif");

	header('Expires: 0');











	What this file do ? It's simple : It takes  the  name  of  the  file  as
	argument, read it fully, and send back the content to your browser.  The
	security flaw is that *any* file, in or *out* the  logos  directory  can
	be show, bypassing *any* protected directories...


	 .oO  Exploit Oo.


	The exploit is really easy. The aim is to read  the  "connect.php"  file
	in the  "secret"  directory.  "connect.php"  contains  the  informations
	about the database connection and "secret" directory is protected  by  a
	.htaccess file. You can do the exploit with any browser  by  using  this
	syntax  :  http://<Forum_URL>avatar.php?img=../secret/connect.php  Of
	course, replace <Forum_URL> by the vulnerable server. You will get  a
	blank page. If you edit the source of this  web  page,  you'll  get  the


	 .oO  Solution Oo.


	The vendor has been  informed  and  has  solved  the  problem.  Download
	CoolForum 0.5.1 or lastest at :



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH