Membrepass /include/change.php aifon Variable Arbitrary PHP Code Execution

2006-08-31T09:48:59
ID OSVDB:28334
Type osvdb
Reporter DarkFig(gmdarkfig@gmail.com)
Modified 2006-08-31T09:48:59

Description

Vulnerability Description

Membrepass contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to '/include/change.php' not properly sanitizing user input supplied to the 'aifon' variable. The values passed to this variable are then stored on a configuration file which can be used by almost all other Membrepass scripts. This may allow an attacker to execute arbitrary commands leading to a loss of integrity.

Technical Description

This vulnerability is only present when the magic_quotes_gpc PHP option is 'off' and the register_globals PHP option is 'on'.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Membrepass contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to '/include/change.php' not properly sanitizing user input supplied to the 'aifon' variable. The values passed to this variable are then stored on a configuration file which can be used by almost all other Membrepass scripts. This may allow an attacker to execute arbitrary commands leading to a loss of integrity.

Manual Testing Notes

http://[target]/include/change.php?ainfo="; $cmd = $_GET['cmd']; system($cmd); exit;

http://[target]/include/variable.php?cmd=dir

References:

Vendor URL: http://www.scripthp.com/ Secunia Advisory ID:21715 Related OSVDB ID: 28335 Related OSVDB ID: 28333 Other Advisory URL: http://acid-root.new.fr/advisories/09290806.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-08/0559.html Mail List Post: http://attrition.org/pipermail/vim/2006-September/001013.html ISS X-Force ID: 28692 FrSIRT Advisory: ADV-2006-3427 CVE-2006-4530 Bugtraq ID: 19790