Vulnerable : PHPMyNewsLetter 0.6.11
Vulnerability : Unauthorised file access
Product URL : http://gregory.kokanosky.free.fr/phpmynewsletter/
Contacted : 4.2.2003
Advisory by Eclipse at packx.net, visit www.packx.net.
Description
===========
PHPSecure.org's "fix" broke the functionality of PHPMyNewsLetter and
wouldn't fix the vulnerability of PHPMyNewsLetter
even if we would write the script using ereg-function correctly
(PHPSecure.org released their fix in Nov. 2002).
I. Details
II. Patch
III. Credits
I. Details
==========
How PHPSecure.org "fixed" PHPMyNewsletter:
include/customize.php
<?
$langfile = $l;
if ((!ereg("..",$l)) AND (file_exists($l))){
include($l);
}else{
echo "Lang File can't be found.";
}
<snip>
?>
What happens? The ereg function will always return TRUE and ! will
negate to FALSE, causing IF to abort always.
Why? http://www.php.net/manual/en/function.ereg.php
OK why? Simply because "." is used as symbol for "any single character".
So what happens if we "correct" the script and maintain the same technique?
<snip>
if ( (!ereg("\.\.",$l)) AND (file_exists($l)) ){
<snip>
It has the functionlity PHPSecure.org wanted (prevent a directory
traversal),
but who needs a directory traversal to access files?
So customize.php?l=../index.html would not work, but e.x.
customize.php?l=/home/mywebspace_username/www/.htpasswd will work
perfectly.
Fix
===
include/customize.php (or php3, php4.. whatever)
<?
$l = basename($l); # Sanitize
if ( (ereg("^lang-", $l)) AND (file_exists($l)) ){ # valid filename?
include($l); # Include
}else{
echo "Invalid language file";
exit;
}
$langfile = $l;
<snip>
?>
This allows accessing files begining with "lang-", that are in the same
directory as customize.php ("include" usually)
Credits
=======
Eclipse at PackX.net
Regards,
Eclipse
eclipse@packx.net
www.packx.net
IDScenter 1.1 RC1 and EagleX IDS environment released
--
