Re: # MHG Security Team --- PHPAskIt v2.0.1 Remote File Inc.

To: Bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: # MHG Security Team --- PHPAskIt v2.0.1 Remote File Inc.
From: Amelie <amelie@xxxxxxxxxxxxxxxxxx>
Date: Wed, 12 Jul 2006 16:22:10 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: amelie@xxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.4 (Windows/20060516)

Hi there,

I would like to point out that the security vulnerability quoted below(and seen here:http://archives.neohapsis.com/archives/bugtraq/2006-06/0234.html -submitted to bugtraq on June 12, 2006) concerning the CodeGrrl.comscript, PHPAskIt, is incorrect. I am the author of this script and canconfidently say that no such hack can take place through theconvertaa.php and convertwakqa.php files. This has been fully tested bymyself and others when we became aware of the supposed vulnerability.The reason why a file inclusion cannot take place through the querystring is because $qadir and $dir are defined within the script. Evenwith register_globals on, any instance of these variables declared aspart of the query string (convertaa.php?qadir=[url to malicious script],for example) will be overwritten with the version in the script. Thefiles work as such:


convertaa.php:

<?php

$qadir = "/home/user/public_html/somefolder/"; // Ask&Answerinstallation path (WITH trailing slash)

if (file_exists($qadir . "config.php")) { //checking for config.php inthis folder and including it if it exists

   include($qadir . "config.php");
}
else { //if it doesn't exist

die("Error: Ask&Answer's<code>config.php</code> could not be found. Please makesure this file exists in the directory you have specified and tryagain.");

}


//database conversion happens here

?>

convertwakqa.php:

<?php

$dir = "/home/user/public_html/somefolder/"; //replace with absolutepath to your Wak's A&A directory (WITH SLASH AT THE END!)

if (file_exists($dir . "functions.php")) { //checking for afunctions.php file in above directory and including it if it exists

   include($dir . "functions.php");
}
else {

die("Error: Wak's Ask&Answer's<code>functions.php</code> could not be found. Pleasemake sure this file exists in your Wak's Ask&Answer directory.");

if (file_exists("../config.php")) { //checking for config.php in parentfolder and including if exists

   include("../config.php");
}
else {

die("Error: Could not find PHPAskIt's<code>config.php</code>. Without this file, the scriptcannot operate. Please makes sure it exists.");

}


//database conversion

?>

As you can see, $dir and $qadir are defined and cannot be overwritten byadditional variables in the GET array, or query string.

Furthermore, PHPAskIt 2.0+ will not run if any of the import files areleft in place.

Please could you notify readers of any sites that may list thisvulnerability that it is a hoax. CodeGrrl.com has recently come underfire for similar vulnerabilities in older scripts, and, being thatPHPAskIt was released AFTER those were discovered, it was imperativethat this sort of thing was avoided. Quite frankly I find it insultingthat somebody has decided that I would be capable of leaving such alarge security hole in my script when it was written a good three yearsafter most of CodeGrrl.com's previous scripts, which contained amultiple file inclusion vulnerability in their password protection file,protection.php. I would never have left such an obvious hole in my ownscript.It is our (CodeGrrl.com's) belief that people are spreading rumoursabout our newer scripts in an effort to further tarnish the site'sreputation. However, PHPAskIt is NOT VULNERABLE TO REMOTE FILE INCLUSION.


Thank you for clearing this up on your site(s),

Amelie

CodeGrrl.com Staff


------------- Original Message ----------------

#########################################################
# /\/\!|_|_! |-|4|23|<47 #
#########################################################

# Milli-Harekat Advisory ( www.milli-harekat.org )

# PHPAskIt <== v2.0.1 - Remote File Include Vulnerabilities

# Risk : High

# Class: Remote

# Script : PHPAskIt v2.0.1

# Credits : ERNE erne[at]ernealizm[dot]com

# Thanks :Dj_ReMix,The_bekir,SpC-x,Eskobar,LiZ0zim,EntRýk4,Korsan.Di_lejyoner andAll MHG USERS


# Vulnerable :

http://www.site.com/[phpaskit_path]/import/convertaa.php?qadir=[evil_scripts]

http://www.site.com/[phpaskit_path]/import/convertwakqa.php?dir=[evil_scripts]

Prev by Date: New CVE number states Excel Style handling as a separate issue
Next by Date: NSFOCUS SA2006-05 : Microsoft Excel SELECTION Record Memory Corruption Vulnerability
Previous by thread: # MHG Security Team --- PHPAskIt v2.0.1 Remote File Inc.
Next by thread: Re: # MHG Security Team --- PHPAskIt v2.0.1 Remote File Inc.
Index(es):
- Date
- Thread