Vulnerable : PHPMyNewsLetter 0.6.11 Vulnerability : Unauthorised file access Product URL : http://gregory.kokanosky.free.fr/phpmynewsletter/ Contacted : 4.2.2003 Advisory by Eclipse at packx.net, visit www.packx.net. Description =========== PHPSecure.org's "fix" broke the functionality of PHPMyNewsLetter and wouldn't fix the vulnerability of PHPMyNewsLetter even if we would write the script using ereg-function correctly (PHPSecure.org released their fix in Nov. 2002). I. Details II. Patch III. Credits I. Details ========== How PHPSecure.org "fixed" PHPMyNewsletter: include/customize.php <? $langfile = $l; if ((!ereg("..",$l)) AND (file_exists($l))){ include($l); }else{ echo "Lang File can't be found."; } <snip> ?> What happens? The ereg function will always return TRUE and ! will negate to FALSE, causing IF to abort always. Why? http://www.php.net/manual/en/function.ereg.php OK why? Simply because "." is used as symbol for "any single character". So what happens if we "correct" the script and maintain the same technique? <snip> if ( (!ereg("\.\.",$l)) AND (file_exists($l)) ){ <snip> It has the functionlity PHPSecure.org wanted (prevent a directory traversal), but who needs a directory traversal to access files? So customize.php?l=../index.html would not work, but e.x. customize.php?l=/home/mywebspace_username/www/.htpasswd will work perfectly. Fix === include/customize.php (or php3, php4.. whatever) <? $l = basename($l); # Sanitize if ( (ereg("^lang-", $l)) AND (file_exists($l)) ){ # valid filename? include($l); # Include }else{ echo "Invalid language file"; exit; } $langfile = $l; <snip> ?> This allows accessing files begining with "lang-", that are in the same directory as customize.php ("include" usually) Credits ======= Eclipse at PackX.net Regards, Eclipse eclipseat_private www.packx.net IDScenter 1.1 RC1 and EagleX IDS environment released --
This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 14:20:24 PST