SecurityvulnsSECURITYVULNS:DOC:18652Phpay - Local File Inclusion
By Michael Brooks
Vulnerability Type:Local File Inclusion
Software: Phpay
Homepage:http://sourceforge.net/projects/phpay/
Version Affected:2.02.1
Phpay has been affected by multiple local file include flaws, as a result this patch was written:
$config = ereg_replace(":","", $config);
$config = trim(ereg_replace("β¦/","", $config));
$config = trim(ereg_replace("/","", $config));
if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "<!β$configβ>\n";}
if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? β¦"; exit;}
require("./$config");
To bypass this patch backslashes can be used instead of forward slashes on windows systems.
Also .inc.php must exists somewhere in the string.
Local File Include for windows only:
or if magic_quotes_gpc is turned on:
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.htaccess
Remote code execution is accessible in the ./admin/ folder.
The admin folder should be protected by a .htaccess file similar to osCommerce2.
Vulnerable configuration:
A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue.
Merry Christmas