Vulnerable : PHPMyNewsLetter 0.6.11
Vulnerability : Unauthorised file access
Product URL : http://gregory.kokanosky.free.fr/phpmynewsletter/
Contacted : 4.2.2003

Advisory by Eclipse at packx.net, visit www.packx.net.

Description

PHPSecure.org's "fix" broke the functionality of PHPMyNewsLetter and
wouldn't fix the vulnerability of PHPMyNewsLetter
even if we would write the script using ereg-function correctly
(PHPSecure.org released their fix in Nov. 2002).

I. Details
II. Patch
III. Credits

I. Details

How PHPSecure.org "fixed" PHPMyNewsletter:

include/customize.php

<?
$langfile = $l;
if ((!ereg("…",$l)) AND (file_exists($l))){
include($l);
}else{
echo "Lang File can't be found.";
}

<snip>

?>

What happens? The ereg function will always return TRUE and ! will
negate to FALSE, causing IF to abort always.
Why? http://www.php.net/manual/en/function.ereg.php
OK why? Simply because "." is used as symbol for "any single character".

So what happens if we "correct" the script and maintain the same technique?

<snip>
if ( (!ereg("\.\.",$l)) AND (file_exists($l)) ){
<snip>

It has the functionlity PHPSecure.org wanted (prevent a directory
traversal),
but who needs a directory traversal to access files?

So customize.php?l=…/index.html would not work, but e.x.
customize.php?l=/home/mywebspace_username/www/.htpasswd will work
perfectly.

Fix

include/customize.php (or php3, php4… whatever)

<?
$l = basename($l); # Sanitize
if ( (ereg("^lang-", $l)) AND (file_exists($l)) ){ # valid filename?
include($l); # Include
}else{
echo "Invalid language file";
exit;
}

$langfile = $l;

<snip>

?>

This allows accessing files begining with "lang-", that are in the same
directory as customize.php ("include" usually)

Credits

Eclipse at PackX.net

Regards,
Eclipse
[email protected]
www.packx.net
IDScenter 1.1 RC1 and EagleX IDS environment released

–