Bugtraq mailing list archives
Re: PHP Advanced Transfer Manager v1.20 ; Multiple Remote File Include Vulnerabilities
From: "Carsten Eilers" <ceilers-lists () gmx de>
Date: Wed, 13 Sep 2006 12:46:33 +0200
Hi, l0x3 () hotmail com schrieb am Sun, 10 Sep 2006 17:19:00 +0000:
+------------------------------------------------------------------- + Affected Software .: Software + Version .............: PHP Advanced Transfer Manager v1.20 + Venedor ...........: http://phpatm.free.fr/ + Class .............: Remote File Inclusion + Risk ..............: High (Remote File Ex3cut1on) + Discovered by ..........: Eddy_BAck0o + Contact ...........: l0x3[at]hotmail.com ; www.LEzr.com/vB +-------------------------------------------------------------------- ~ [Login.php]
There is no Login.php, this must be login.php...
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + include($include_location.'include/conf.php'); + include($include_location.'include/common.'.$phpExt); +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
... and there we have v 1.20: $include_location = $HTTP_SERVER_VARS ['DOCUMENT_ROOT'].dirname($HTTP_SERVER_VARS['PHP_SELF'])."/"; v 1.30: $include_location = dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME'])."/"; Looks like an initialization, if my eyes are not to bad. ;-) Same with all other reported files. If there is no way to manipulate the used HTTP_SERVER_VARS there is no way to include something. For sure not via $include_location. Let's take a look at the PHP-Manual: <http://www.php.net/manual/en/reserved.variables.php> * DOCUMENT_ROOT The document root directory under which the current script is executing, as defined in the server's configuration file. I guess if an attacker can manipulate the server's configuration file you have much more to worry about as a remote file inclusion. :-) * PHP_SELF The filename of the currently executing script, relative to the document root. * SCRIPT_FILENAME The absolute pathname of the currently executing script. If one of them can be manipulated from remote, than that may be a vulnerability in PHP or the webserver, but not in the PHP-scripts. So there is no vulnerability. Regards Carsten -- Dipl.-Inform. Carsten Eilers IT-Sicherheit und Datenschutz <http://www.ceilers-it.de>
Current thread:
- PHP Advanced Transfer Manager v1.20 ; Multiple Remote File Include Vulnerabilities l0x3 (Sep 11)
- Re: PHP Advanced Transfer Manager v1.20 ; Multiple Remote File Include Vulnerabilities Carsten Eilers (Sep 13)
- <Possible follow-ups>
- Re: PHP Advanced Transfer Manager v1.20 ; Multiple Remote File Include Vulnerabilities Carsten Eilers (Sep 14)
- Re: PHP Advanced Transfer Manager v1.20 ; Multiple Remote File Include Vulnerabilities Steven M. Christey (Sep 15)