Recent File Inclusion vulnerabilities

Here is short summary of recent File Inclusion vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.

Multiple Vulnerabilities in NX5Linkx.

Description.

Vulnerable script: link.php

Parameter logo is not properly sanitized. It used as full local path to logo filename. Script do the copy of this file in logos directory. This directory is available from the web.

This can be used to read arbitrary files.

Vulnerable scripts: The name of those scripts are defined by webmaster. First - (a) displays links list. Second - (b) "out" script which do the redirections when someone clicks on link

Parameters c(script "a"), l(script "b") are not properly sanitized before being used in SQL query. This can be used to make any SQL query or make a HTTP response-splitting attack by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off

Vulnerable Script: link.php

Parameter url is not properly sanitized. This can be used to make HTTP Response Splitting attack.

Exploit.

URL: http://host/link.php

Logo URL: /etc/passwd

This file can be downloaded using the link:

http://host/logos/N.

N - ID of the link

http://host/links.php?c=999'%20union%20select%201,222/*

http://host/out.php?l=999' union select 1,1,'http://google.com',1,1,1,1/*

URL: http://host/link.php

URL(in form): http://host.com%0D%0A%0D%0AHTTP/1.0 200 OK%0D%0A%0D%0A.......

Solution

Solution is not available.

Other details >>

Arbitrary File Disclosure Vulnerability in Quirex.

Description.

Vulnerable Script: convert.cgi

Variable $quiz_head $quiz_foot $template are not properly sanitized. This can be used to read arbitrary files.

System access is possible.

Exploit.

File Disclosure Example

Url: http://host/cgi-bin/quirex/convert.cgi

Path to quiz_head.txt: [arbitrary file]

Path to quiz_foot.txt: [arbitrary file]

Output file: [output file]

Solution

Solution is not available.

Other details >>

File Inclusion Vulnerability in PHP iCalendar.

Description.

File: functions/template.php

Function parse($file) calls include($file) without correct sanitation of variable $file

File: search.php

Parameter getdate isn't properly sanitized and may contain a filepath.

All this can be used to make inclusion of arbitrary server-side file.

System access is possible.

Exploit.

File inclusion example:

http://host/icalendar/search.php?getdate=[anyfile]

Solution.

Vendor-provided patch is available at:

http://dimer.tamu.edu/phpicalendar.net/forums/viewtopic.php?p=1869#1869Other details >>

Directory Traversal and Data Disclosure in RCBlog.

Description.

1. Directories data config are not protected by htaccess in default installiation. This can be used to retrieve registered user's information including logins and password's md5 hashes.

2. Directory traversal is possible.

Vulnerable script: index.php

Variable $_GET[post] isn't properly sanitized. This can be used to open arbitrary files with txt extention. Administrator's login and password is threatened.

Administrator has an ability to upload arbitrary files.

System access is possible.

Exploit.

Directory traversal example:

http://host/rcblog/index.php?post=../config/password

Solution

Solution is not available.

Other details >>
Advisories by vuln type