[UNIX] Unauthorized File Access Vulnerability Found in phpMyNewsletter

From: support@securiteam.com
Date: 02/20/03

  • Next message: support@securiteam.com: "[UNIX] Offensive Code Injection Vulnerability Found In PHP Nuke"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 20 Feb 2003 20:45:01 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Unauthorized File Access Vulnerability Found in phpMyNewsletter


     <http://gregory.kokanosky.free.fr/phpmynewsletter/> phpMyNewsletter is a
    newsletter management script written in PHP. A security hole allowing
    unauthorized access to arbitrary files (for example /etc/passwd) has been
    found in the product. The vulnerability occurs even after the patch by
    <http://www.securiteam.com/unixfocus/6U0011P5QQ.html> phpsecure.org has
    been applied.


    Vulnerable versions:
     * phpMyNewsletter version 0.6.11 and prior
     * phpMyNewsletter version 0.7 (beta)

    Immune versions:
     * phpMyNewsletter version 0.6.12 and above

    The patch fix was

    ---from /include/customize.php -----------------

     $langfile = $l;
     if ((!ereg("..",$l)) AND (file_exists($l))){
      echo "Lang File can't be found.";


    This patch caused the code to cease functioning as it should:

    ereg ("..", $l) will return always TRUE, therefore !ereg ("..",$l) will
    return FALSE.
    This problem occurs because "." is evaluated as a regular expression whose
    value is any single character.
    See <http://www.php.net/manual/en/function.ereg.php> Ereg Function for
    more details.

    To fix the problem:

    if ( (!ereg("\.\.",$l)) AND (file_exists($l)) ){

    Taking the literal value of "." seems to solve this problem, but although
    customize.php?l=../index.html would not work, customize.php?l=/etc/passwd
    will work (there is no need for directory traversal to access arbitrary

    The Workaround:
     $l = basename($l); # Sanitize
     if ( (ereg("^lang-", $l)) AND (file_exists($l)) ){ # valid
      include($l); # Include
      echo "Invalid language file";

     $langfile = $l;



    This will allow access only to files which are located in the same
    directory as customize.php (usually /include) and begin with lang-.

    There is a patch available at the phpMyNewsletter site:


    This information has been provided by <mailto:eclipse@packx.net> Eclipse


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.