Vulnerable: PHPMyNewsLetter 0.6.11
Vulnerability: Unauthorised file access
Product URL: http://gregory.kokanosky.free.fr/phpmynewsletter/
Contacted: 4.2.2003
Advisory by Eclipse at packx.net, visit www.packx.net.
Description
===
PHPSecure.org's "fix" broke the functionality of PHPMyNewsLetter and
wouldn't fix the vulnerability of PHPMyNewsLetter
even if we would write the script using ereg-function correctly
(PHPSecure.org released their fix in Nov. 2002).
I.Details
II.Patch
III.Credits
I. Details
==
How PHPSecure.org "fixed" PHPMyNewsletter:
include/customize.php
$langfile = $l;
if ((!ereg("..",$l)) AND (file_exists($l))){
include($l);
}else{
echo "Lang File can't be found.";
}
?>
What happens? The ereg function will always return TRUE and ! will
negate to FALSE, causing IF to abort always.
Why? http://www.php.net/manual/en/function.ereg.php
OK why? Simply because "." is used as symbol for "any single character".
So what happens if we "correct" the script and maintain the same technique?
if ( (!ereg("\.\.",$l)) AND (file_exists($l)) ){
It has the functionlity PHPSecure.org wanted (prevent a directory
traversal),
but who needs a directory traversal to access files?
So customize.php?l=../index.html would not work, but e.x.
customize.php?l=/home/mywebspace_username/www/.htpasswd will work
perfectly.
Fix
===
include/customize.php (or php3, php4.. whatever)
$l = basename($l); # Sanitize
if ( (ereg("^lang-", $l)) AND (file_exists($l)) ){# valid filename?
include($l);# Include
}else{
echo "Invalid language file";
exit;
}
$langfile = $l;
?>
This allows accessing files begining with "lang-", that are in the same
directory as customize.php ("include" usually)
Credits
===
Eclipse at PackX.net
Regards,
Eclipse
[EMAIL PROTECTED]
www.packx.net
IDScenter 1.1 RC1 and EagleX IDS environment released
--
