[UNIX] PHP-Proxima Remote File Access Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 05/18/03
- Previous message: SecuriTeam: "[NT] IP Messenger for Win Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 18 May 2003 10:25:46 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
PHP-Proxima Remote File Access Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.php-proxima.com/> PHP-Proxima is a website portal system made
in PHP. PHP-Proxima is actually a different version of php-nuke, very
similar although it has some changes.
One of the changes is that PHP-Proxima contains a file called
autohtml.php. By sending a specific request as shown below, an attacker
may be able to include local files and therefore read them.
DETAILS
Vulnerable systems:
* PHP-Proxima 6.0 and prior
Vulnerable code:
The problem appears here:
***************************
.
witch($op) {
case "modload":
if (!isset($mainfile)) { include("mainfile.php"); }
$index = 0;
include("header.php");
OpenTable();
include("autohtml/$name");
.
***************************
Since the case has been coded so poorly in terms of security, a user can
avoid including mainfile.php and inject anything into $name.
Example:
ADDITIONAL INFORMATION
The information has been provided by <mailto:mindwarper@linuxmail.org>
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
http://victim/autohtml.php?op=modload&mainfile=x&name=
Mind Warper.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability in the product allows attackers to get access to ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PVote is a PHP voting system. ... Delete vulnerability: ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
... Dynu FTP Server Directory Traversal Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
... Hushmail.com Accounts Vulnerable to Script Attack ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The vulnerability has been fixed on 13 September 2001 ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability in the program allows attackers to execute of arbitrary code ... int main{ ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
