Re: # MHG Security Team --- PHPAskIt v2.0.1 Remote File Inc.
Hi there,
I would like to point out that the security vulnerability quoted below
(and seen here:
http://archives.neohapsis.com/archives/bugtraq/2006-06/0234.html -
submitted to bugtraq on June 12, 2006) concerning the CodeGrrl.com
script, PHPAskIt, is incorrect. I am the author of this script and can
confidently say that no such hack can take place through the
convertaa.php and convertwakqa.php files. This has been fully tested by
myself and others when we became aware of the supposed vulnerability.
The reason why a file inclusion cannot take place through the query
string is because $qadir and $dir are defined within the script. Even
with register_globals on, any instance of these variables declared as
part of the query string (convertaa.php?qadir=[url to malicious script],
for example) will be overwritten with the version in the script. The
files work as such:
convertaa.php:
<?php
$qadir = "/home/user/public_html/somefolder/"; // Ask&Answer
installation path (WITH trailing slash)
if (file_exists($qadir . "config.php")) { //checking for config.php in
this folder and including it if it exists
include($qadir . "config.php");
}
else { //if it doesn't exist
die("<p><strong>Error:</strong> Ask&Answer's
<strong><code>config.php</code></strong> could not be found. Please make
sure this file exists in the directory you have specified and try
again.</p>");
}
//database conversion happens here
?>
convertwakqa.php:
<?php
$dir = "/home/user/public_html/somefolder/"; //replace with absolute
path to your Wak's A&A directory (WITH SLASH AT THE END!)
if (file_exists($dir . "functions.php")) { //checking for a
functions.php file in above directory and including it if it exists
include($dir . "functions.php");
}
else {
die("<p><strong>Error:</strong> Wak's Ask&Answer's
<strong><code>functions.php</code></strong> could not be found. Please
make sure this file exists in your Wak's Ask&Answer directory.</p>");
}
if (file_exists("../config.php")) { //checking for config.php in parent
folder and including if exists
include("../config.php");
}
else {
die("<p><strong>Error:</strong> Could not find PHPAskIt's
<strong><code>config.php</code></strong>. Without this file, the script
cannot operate. Please makes sure it exists.</p>");
}
//database conversion
?>
As you can see, $dir and $qadir are defined and cannot be overwritten by
additional variables in the GET array, or query string.
Furthermore, PHPAskIt 2.0+ will not run if any of the import files are
left in place.
Please could you notify readers of any sites that may list this
vulnerability that it is a hoax. CodeGrrl.com has recently come under
fire for similar vulnerabilities in older scripts, and, being that
PHPAskIt was released AFTER those were discovered, it was imperative
that this sort of thing was avoided. Quite frankly I find it insulting
that somebody has decided that I would be capable of leaving such a
large security hole in my script when it was written a good three years
after most of CodeGrrl.com's previous scripts, which contained a
multiple file inclusion vulnerability in their password protection file,
protection.php. I would never have left such an obvious hole in my own
script.
It is our (CodeGrrl.com's) belief that people are spreading rumours
about our newer scripts in an effort to further tarnish the site's
reputation. However, PHPAskIt is NOT VULNERABLE TO REMOTE FILE INCLUSION.
Thank you for clearing this up on your site(s),
Amelie
CodeGrrl.com Staff
------------- Original Message ----------------
#########################################################
# /\/\!|_|_! |-|4|23|<47 #
#########################################################
# Milli-Harekat Advisory ( www.milli-harekat.org )
# PHPAskIt <== v2.0.1 - Remote File Include Vulnerabilities
# Risk : High
# Class: Remote
# Script : PHPAskIt v2.0.1
# Credits : ERNE erne[at]ernealizm[dot]com
# Thanks :
Dj_ReMix,The_bekir,SpC-x,Eskobar,LiZ0zim,EntRýk4,Korsan.Di_lejyoner and
All MHG USERS
# Vulnerable :
http://www.site.com/[phpaskit_path]/import/convertaa.php?qadir=[evil_scripts]
http://www.site.com/[phpaskit_path]/import/convertwakqa.php?dir=[evil_scripts]