https://sourceforge.net/p/phpnetzero/securety-holes/2006-04-18T17:35:42ZRecent changes to securety-holes2006-04-18T17:35:42Z2006-04-18T17:35:42ZFr0zenhttps://sourceforge.net/u/froz3n/https://sourceforge.net49321442d80bcc83ea69cd5b44e1b83ac28b1d26

<div class="markdown_content"><p>/*<br /> tested software:<br /> <a href="http://sourceforge.net/project/showfiles.php?group_id=71894">http://sourceforge.net/project/showfiles.php?group_id=71894</a></p> <p>description: "Php-ZeroNet is a script comprised of php<br /> allowing webmasters to start a online community.<br /> Php-ZeroNet features Content Management, News posting,<br /> User CP, interactive sytem, etc. Php-ZeroNet uses a<br /> wide range of different cases in its script, it can adapt."</p> <p>vulnerable code in function.php at lines 34-44:<br /> ...<br /> if (isset($_COOKIE['specifiedlayout'])) {<br /> //well it seems that the cookie to the layout that<br /> the user wants to see exists so display it<br /> $defaultlayout = $_COOKIE['specifiedlayout'];<br /> $result = $DB-&gt;query ("SELECT SiteName FROM<br /> preferences");<br /> list($sitename) = $DB-&gt;getrow($result);<br /> } else {<br /> //well it doesnt seem to exist so get the normal<br /> defaultlayout<br /> $result = $DB-&gt;query ("SELECT<br /> SiteName,defaultlayout FROM preferences");<br /> list($sitename, $defaultlayout) = $DB-&gt;getrow($result);<br /> }<br /> require("themes/$defaultlayout/index.php");<br /> ...</p> <p>if magic quotes off we can include local file through<br /> $defaultlayout<br /> which is set by COOKIE['specifiedlayout']</p> <p>this can be exploited by web browser however here is my POC<br /> */ </p></div>