Vulnerable : PHPMyNewsLetter 0.6.11
Vulnerability : Unauthorised file access
Product URL : http://gregory.kokanosky.free.fr/phpmynewsletter/
Contacted : 4.2.2003
Advisory by Eclipse at packx.net, visit www.packx.net.
PHPSecure.org's "fix" broke the functionality of PHPMyNewsLetter and
wouldn't fix the vulnerability of PHPMyNewsLetter
even if we would write the script using ereg-function correctly
(PHPSecure.org released their fix in Nov. 2002).
I. Details
II. Patch
III. Credits
How PHPSecure.org "fixed" PHPMyNewsletter:
include/customize.php
<?
$langfile = $l;
if ((!ereg("…",$l)) AND (file_exists($l))){
include($l);
}else{
echo "Lang File can't be found.";
}
<snip>
?>
What happens? The ereg function will always return TRUE and ! will
negate to FALSE, causing IF to abort always.
Why? http://www.php.net/manual/en/function.ereg.php
OK why? Simply because "." is used as symbol for "any single character".
So what happens if we "correct" the script and maintain the same technique?
<snip>
if ( (!ereg("\.\.",$l)) AND (file_exists($l)) ){
<snip>
It has the functionlity PHPSecure.org wanted (prevent a directory
traversal),
but who needs a directory traversal to access files?
So customize.php?l=…/index.html would not work, but e.x.
customize.php?l=/home/mywebspace_username/www/.htpasswd will work
perfectly.
include/customize.php (or php3, php4… whatever)
<?
$l = basename($l); # Sanitize
if ( (ereg("^lang-", $l)) AND (file_exists($l)) ){ # valid filename?
include($l); # Include
}else{
echo "Invalid language file";
exit;
}
$langfile = $l;
<snip>
?>
This allows accessing files begining with "lang-", that are in the same
directory as customize.php ("include" usually)
Eclipse at PackX.net
Regards,
Eclipse
[email protected]
www.packx.net
IDScenter 1.1 RC1 and EagleX IDS environment released
–