Lucene search
SecurityvulnsSECURITYVULNS:DOC:14215HistorySep 11, 2006 - 12:00 a.m.
PUMA 1.0 RC 2 (config.php) Remote File Inclusion
2006-09-1100:00:00
vulners.com
20
±-------------------------------------------------------------------
+
- PUMA 1.0 RC 2 (config.php) Remote File Inclusion
- Original advisory:
- http://www.bb-pcsecurity.de/Websecurity/415/org/PUMA_1.0_RC_2_(config.php)_RFI.htm
±-------------------------------------------------------------------
+
- Affected Software .: PUMA 1.0 RC 2
- Venedor …: http://php.psywerx.net/
- Class …: Remote File Inclusion
- Risk …: high (Remote File Execution)
- Found by …: Philipp Niedziela
- Contact …: webmaster[at]bb-pcsecurity[.]de
±-------------------------------------------------------------------
+
- Affected File:
- /config.php
- Code:
- …
- // Select language
- $lang = "lang_english.php";
- include($fpath."./language/$lang");
- …
±-------------------------------------------------------------------
+
- $fpath is not properly sanitized before being used
±-------------------------------------------------------------------
+
- Solution:
- -> Declare $fpath!
- -> Deny direct access to config.php
- -> or modify code:
- if(!isset($_REQUEST['fpath']) && !isset($_GET['fpath']) && !isset($_POST['fpath'])){
- //code of org. config.php
- }
- else {
- echo "You cannot access this file directly.";
- die();
- }
±-------------------------------------------------------------------
+
- PoC:
- http://[target]/config.php?fpath=[script]
±-------------------------------------------------------------------
+
- Greets and Thanks: /str0ke
±------------------------[ E O F ]----------------------------------