MyBace Light (hauptverzeichniss) Remote File Inclusion

vendor:

My Bace Light

by:

Philipp Niedziela

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: My Bace Light

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

MyBace Light (hauptverzeichniss) Remote File Inclusion

MyBace Light is vulnerable to a Remote File Inclusion vulnerability due to the lack of proper sanitization of the $hauptverzeichniss and $template_back variables in the includes/login_check.php and admin/login/content/user_daten.php files respectively. An attacker can exploit this vulnerability to execute arbitrary code on the vulnerable system.

Mitigation:

Deny direct access to these files using a .htaccess-file or modify code to check for the presence of the variables before using them.

Source

Exploit-DB raw data:

+--------------------------------------------------------------------
+
+ MyBace Light (hauptverzeichniss) Remote File Inclusion
+
+ Original advisory:
+ http://www.bb-pcsecurity.de/Websecurity/384/MyBace_Light_(hauptverzeichniss)_Remote_File_Inclusion.htm
+--------------------------------------------------------------------
+
+ Affected Software .: My Bace Light
+ Venedor ...........: http://www.onlinemacher.de/
+ Class .............: Remote File Inclusion
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+
+--------------------------------------------------------------------
+
+ Affected Files:
+  includes/login_check.php
+           var: $hauptverzeichniss
+
+  admin/login/content/user_daten.php
+           var: $template_back
+
+--------------------------------------------------------------------
+
+ $hauptverzeichniss & $template_back is not properly sanitized before being used
+
+--------------------------------------------------------------------
+
+ Solution:
+ Deny direct access to these files using a .htaccess-file
+ or modify code:
+
+ if(!isset($_REQUEST['hauptverzeichniss']) &&
!isset($_GET['hauptverzeichniss'])
+     && !isset($_POST['hauptverzeichniss'])){
+ //code of org. *.php
+ }
+ else {
+ echo "You cannot access this file directly.";
+ die();
+ }
+
+--------------------------------------------------------------------
+
+ PoC:
+
+ http://[target]/includes/login_check.php?hauptverzeichniss=[shell]
+
+--------------------------------------------------------------------
+
+ Notice: I've tried to contact venedor 3 weeks ago, but no answer yet...
+
+
+ Greets: /str0ke
+
+-------------------------[ E O F ]----------------------------------

# milw0rm.com [2006-09-01]