[Full-Disclosure] Re: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7

[Majest]

Author:  [OfB|FistFucker]  -  (Majest)
Contact: http://www.ofb-clan.de/
I've reported the vulnerability to the programmer of BXCP. He released a 
patch for 'index.php' and a new version (0.2.9.8). You can get it from: 
http://www.bxcp.com/

----- Original Message ----- 
From: "Majest" <[EMAIL PROTECTED]>
To: <full-disclosure@lists.netsys.com>
Sent: Sunday, February 06, 2005 4:38 PM
Subject: Local *.php file inclusion and full path disclosure in BXCP <= 
0.2.9.7


Title:   Local *.php file inclusion and full path disclosure in BXCP <= 
0.2.9.7
Author:  [OfB|FistFucker]
Contact: http://www.ofb-clan.de/
        #ofb-clan at irc.quakenet.org:6667

1. Local *.php file inclusion:
---------------------------------
Because of no user input validation in 'index.php' it's possible to 
include
every local *.php file. Let's take a look at the most important part of 
the
source code:

 ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~
  $show = $_REQUEST['show'];
  require ("config.php");
  if (!file_exists("show/$show.php"))
  {
    $notfound = $show;
    $show = 'error';
  }
  $page = "show/$show.php";
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~
 Yeah, there is no validation of the variable '$show'. So we can easily 
access
 every local file ending with '.php', also in restricted directories like
 htaccess. We can easily jump outside the 'show' directory and include 
every
 file ending with '.php'!

 Example URL: http://www.rz-liga.com/index.php?show=../intern/board/common
 Don't worry about the response "Hacking attempt". It's just a die() 
message
 from 'common.php' of their htaccess protected phpBB. ;-)

2. Full path disclosure:
---------------------------
 And by including the 'index.php' into itself with the above vulnerability 
we
 can cause a full path disclosure.

 Example URL: http://www.rz-liga.com/index.php?show=../index
3. Let's fix that shit! =)
-----------------------------
 Just replace in 'index.php':
 ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~
  $show = $_REQUEST['show'];
  if(ereg("\.\.", $show))
  {
    $show = '';
  }
  require ("config.php");
  if (!file_exists("show/$show.php"))
  {
    $notfound = $show;
    $show = 'error';
  }
  $page = "show/$show.php";
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~
4. Greetings:
----------------
 Greetings fly out to all members of OfB-Clan that know me. And sorry for 
the
 events that occured at and after the 25th December. Please forgive me and
 please stop seeing me as a criminal kiddie. Better see me as a guardian! 
=D


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html