Phpay - Local File Inclusion Dec 14 2007 10:03PM
th3 r00k nospam pork gmail com
By Michael Brooks

Vulnerability Type:Local File Inclusion

Software: Phpay


Version Affected:2.02.1

Phpay has been affected by multiple local file include flaws, as a result this patch was written:

$config = ereg_replace(":","", $config);

$config = trim(ereg_replace("../","", $config));

$config = trim(ereg_replace("/","", $config));

if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "<!--$config-->\n";}

if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? ..."; exit;}


To bypass this patch backslashes can be used instead of forward slashes on windows systems.

Also .inc.php must exists *somewhere* in the string.

Local File Include for windows only:


or if magic_quotes_gpc is turned on:


Remote code execution is accessible in the ./admin/ folder.

The admin folder *should* be protected by a .htaccess file similar to osCommerce2.

Vulnerable configuration:

A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue.

Merry Christmas

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus