<<< Date Index >>>     <<< Thread Index >>>

Re: # MHG Security Team --- PHPAskIt v2.0.1 Remote File Inc.



Hi there,

I would like to point out that the security vulnerability quoted below (and seen here: http://archives.neohapsis.com/archives/bugtraq/2006-06/0234.html - submitted to bugtraq on June 12, 2006) concerning the CodeGrrl.com script, PHPAskIt, is incorrect. I am the author of this script and can confidently say that no such hack can take place through the convertaa.php and convertwakqa.php files. This has been fully tested by myself and others when we became aware of the supposed vulnerability. The reason why a file inclusion cannot take place through the query string is because $qadir and $dir are defined within the script. Even with register_globals on, any instance of these variables declared as part of the query string (convertaa.php?qadir=[url to malicious script], for example) will be overwritten with the version in the script. The files work as such:

convertaa.php:

<?php
$qadir = "/home/user/public_html/somefolder/"; // Ask&Answer installation path (WITH trailing slash)

if (file_exists($qadir . "config.php")) { //checking for config.php in this folder and including it if it exists
   include($qadir . "config.php");
}
else { //if it doesn't exist
die("<p><strong>Error:</strong> Ask&amp;Answer's <strong><code>config.php</code></strong> could not be found. Please make sure this file exists in the directory you have specified and try again.</p>");
}


//database conversion happens here

?>

convertwakqa.php:

<?php
$dir = "/home/user/public_html/somefolder/"; //replace with absolute path to your Wak's A&A directory (WITH SLASH AT THE END!)

if (file_exists($dir . "functions.php")) { //checking for a functions.php file in above directory and including it if it exists
   include($dir . "functions.php");
}
else {
die("<p><strong>Error:</strong> Wak's Ask&amp;Answer's <strong><code>functions.php</code></strong> could not be found. Please make sure this file exists in your Wak's Ask&amp;Answer directory.</p>");
}
if (file_exists("../config.php")) { //checking for config.php in parent folder and including if exists
   include("../config.php");
}
else {
die("<p><strong>Error:</strong> Could not find PHPAskIt's <strong><code>config.php</code></strong>. Without this file, the script cannot operate. Please makes sure it exists.</p>");
}


//database conversion

?>


As you can see, $dir and $qadir are defined and cannot be overwritten by additional variables in the GET array, or query string.

Furthermore, PHPAskIt 2.0+ will not run if any of the import files are left in place.

Please could you notify readers of any sites that may list this vulnerability that it is a hoax. CodeGrrl.com has recently come under fire for similar vulnerabilities in older scripts, and, being that PHPAskIt was released AFTER those were discovered, it was imperative that this sort of thing was avoided. Quite frankly I find it insulting that somebody has decided that I would be capable of leaving such a large security hole in my script when it was written a good three years after most of CodeGrrl.com's previous scripts, which contained a multiple file inclusion vulnerability in their password protection file, protection.php. I would never have left such an obvious hole in my own script. It is our (CodeGrrl.com's) belief that people are spreading rumours about our newer scripts in an effort to further tarnish the site's reputation. However, PHPAskIt is NOT VULNERABLE TO REMOTE FILE INCLUSION.

Thank you for clearing this up on your site(s),

Amelie

CodeGrrl.com Staff


------------- Original Message ----------------

#########################################################
# /\/\!|_|_! |-|4|23|<47 #
#########################################################

# Milli-Harekat Advisory ( www.milli-harekat.org )

# PHPAskIt <== v2.0.1 - Remote File Include Vulnerabilities

# Risk : High

# Class: Remote

# Script : PHPAskIt v2.0.1

# Credits : ERNE erne[at]ernealizm[dot]com

# Thanks : Dj_ReMix,The_bekir,SpC-x,Eskobar,LiZ0zim,EntRýk4,Korsan.Di_lejyoner and All MHG USERS

# Vulnerable :

http://www.site.com/[phpaskit_path]/import/convertaa.php?qadir=[evil_scripts]

http://www.site.com/[phpaskit_path]/import/convertwakqa.php?dir=[evil_scripts]