php-proxima is a website portal system made in php. php-proxima is actually
a different version of php-nuke, very similar although it has some changes.
One of the changes is that php-proxima contains a file called autohtml.php.
By sending a specific request as shown bellow an attacker may be able to
include local files and therefore read them.
The problem appears here:
***************************
..
witch($op) {
case "modload":
if (!isset($mainfile)) { include("mainfile.php"); }
$index = 0;
include("header.php");
OpenTable();
include("autohtml/$name");
..
***************************
Since the case has been coded so poorly in terms of security, a user
can avoid including mainfile.php and inject anything into $name.
----------------------
Vendor Information:
----------------------
Homepage : http://www.php-proxima.com
Vendor : informed
Mailed advisory: 14/05/03
Vender Response : None
----------------------
Affected Versions:
----------------------
php-proxima 6.0 and prior
----------------------
Vulnerability:
----------------------
php-proxima is a website portal system made in php. php-proxima is actually
a different version of php-nuke, very similar although it has some changes.
One of the changes is that php-proxima contains a file called autohtml.php.
By sending a specific request as shown bellow an attacker may be able to
include local files and therefore read them.
The problem appears here:
***************************
..
witch($op) {
case "modload":
if (!isset($mainfile)) { include("mainfile.php"); }
$index = 0;
include("header.php");
OpenTable();
include("autohtml/$name");
..
***************************
Since the case has been coded so poorly in terms of security, a user
can avoid including mainfile.php and inject anything into $name.
Example:
http://victim/autohtml.php?op=modload&mainfile=x&name=<local filename>
----------------------
Solution:
----------------------
You can fix this problem by replacing
include("autohtml/$name");
with
// include("autohtml/$name");
Please check the vendor's website for new patches.
----------------------
Contact:
----------------------
Name: Mindwarper
Email: mindwarper (at) linuxmail (dot) org [email concealed]
Website: http://mindlock.bestweb.net
--
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr
Powered by Outblaze
[ reply ]