[UNIX] phpMyFAQ Local File Inclusion Vulnerability

• Previous message: SecuriTeam: "[TOOL] AIRE - 802.11 Network Discovery for Windows XP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 18 May 2004 18:24:34 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  phpMyFAQ Local File Inclusion Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.phpmyfaq.de> phpMyFAQ is "a multilingual, completely
database-driven FAQ-system. For the time being a MySQL database (support
for other databases is under development) is used to store all data, PHP
4.1.0 (or higher) is needed in order to access this data. phpMyFAQ also
offers a Content Management- System, flexible multi-user support, a
news-system, user-tracking, language modules, templates, extensive
XML-support, PDF-support, a backup-system and an easy to use installation
script."

Within phpMyFAQ an input validation problem exists which allows an
attacker to include arbitrary local files. With known tricks to inject PHP
code into log or session files this could lead to remote PHP code
execution.

DETAILS

Vulnerable Systems:
 * phpMyFAQ version 1.3.12 and prior
 * phpMyFAQ version 1.4.0-alpha1 and prior (developer release)

While doing a fast audit of phpMyFAQ 1.3.12 and phpMyFAQ 1.4.0-alpha1 in
both versions two different input validation problems were discovered.
Affected is in both cases index.php but in different places.
 
phpMyFAQ 1.3.12 constructs a template filename with user input from the
$action variable. It prefixes some directory name and adds an extension.
This means it is not possible to include arbitrary remote files, but it is
possible to use relative paths combines with '\0' string cut attacks to
view any file on the system which is accessible and under some
circumstances this could result in arbitrary PHP code execution if the
attacker is able to inject PHP code into known files.
 
phpMyFAQ 1.4.0-alpha1 fails to validate that a supplied language code is
valid. When construction a language include filename the user supplied
$lang variable is used without sanity checks. Similar to the previous
issue this allows viewing any file on the system. Exploiting this flaw is
possible because realpath supports paths like "dir/file.ext/../../.."

Recommendation:
 To protect your server against similar problems with include and require
statements and remote files or '\0' cut attacks I recommend you have a
look at http://www.hardened-php.net that catches remote file includes and
'\0' attacks before they could cause damage.

Disclosure Timeline:
16. May 2004 - Vendor was notified via email.
18. May 2003 - Vendor has released new versions fixing this problem.

ADDITIONAL INFORMATION

The information has been provided by <mailto:s.esser@e-matters.de> Stefan
Esser.

The original article can be found at:
<http://security.e-matters.de/advisories/052004.html>
http://security.e-matters.de/advisories/052004.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] AIRE - 802.11 Network Discovery for Windows XP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]