Author: saiy [FST] Source: Firefox Technology Alliance [www.wrsky.com] Keywords: php script script invasion invasion of ofstar vulnerability profile: a core group member of Technology Alliance saiy Firefox vulnerability name: ofstar php txt serious vulnerability risk level forum : High Note: Vulnerability Internal Release Date 05/01/09 Public Release Date 05/01/11 Note! ! ! Any losses caused by this method and the READ.php of Firefox Technology Alliance have not confirmed the ip.php of the OFSTAR Forum! Let's take a look at the two lines of code in read.php.
$ article = OpenFile ("$ dbpath / $ FID / $ TID.PHP"); $ TOPIC_DETAIL = EXPLODE ("|", $ ArticleArray [0]); You can see that the sentence directly opens forumdir / block name / post. PHP to read the content for separated symbols. And in the number of posts, we can construct, but there are things we can't read because they must be separated by reading, and OFSTAR happens to be so preserved. For example, it is the preservation of user information. Submit address http: //localhost/read.php? FID = 1 & TID = .. / .. / userdir / saiy then reads the SAIY's password hash, displayed in the location of the username! You can use forged cookies to log in! The format is:
Lastpp = 1; OfStaradminID = Manage Username; OfStradMinPwd = Manage Hatan Password; OL_Offset = 202; OFSTARID = User Name; OfStarPwd = Hatan Password; Lastvisit = 1105276862 Vulnerability II, using Message.php Manufacturing spasts. . (This method seems to have seen in a magazine in June 2004) first to see the part of the short message!
Elseif ("$ userPath / $ msg_ruser.php")) {$ mes_info = "The user does not exist.";} This code means to see UserDir ($ UserPath is equal to Userdir this) this folder Do you have a username .php, which uses the check userDir / you entered the username. PHP exists or not, if this user exists, how do we use this function? Suppose the user we entered is ../index, the situation running in the code is file_exists ("UserDir /../ Index.php") to change, become file_exists ("./ index.php") The program is going to check if the home page exists, and there is a short message when the user has a short message. The short message is originally saved in the userdata / msgbox directory, saved in the username 1.php format, that's this, our message is moved to the userdata / directory, the name is index1.php, we can write a program Call Check that other files do not exist and issue a short message. To achieve the purpose of spam messages, some people will say that the forum limits the repeated short message, right, yes, but you find that it is not, when he prompts ", please do not send short messages in 10 seconds When you refresh the page, the news is still sent out! ! Vulnerability three malicious delete file content Delete the short message of the forum is http: // www. A certain station .com / message.php? Action = del & msg = 0 & filename = saiy1.php Everyone pays attention to Saiy1.php, we view Message .php, look at how to delete short messages?
