Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

PHPMyNewsLetter 0.6.11 - customize.php include problem

From: Ueli Kistler <iuk () gmx ch>
Date: Wed, 05 Feb 2003 01:08:44 +0100
Vulnerable    : PHPMyNewsLetter 0.6.11
Vulnerability    : Unauthorised file access
Product URL    : http://gregory.kokanosky.free.fr/phpmynewsletter/
Contacted    : 4.2.2003

Advisory by Eclipse at packx.net, visit www.packx.net.

Description
===========
PHPSecure.org's "fix" broke the functionality of PHPMyNewsLetter and wouldn't fix the vulnerability of PHPMyNewsLetter even if we would write the script using ereg-function correctly (PHPSecure.org released their fix in Nov. 2002). 

I.    Details
II.    Patch
III.    Credits

I. Details
==========

How PHPSecure.org "fixed" PHPMyNewsletter:

include/customize.php

<?
$langfile = $l;
if ((!ereg("..",$l)) AND (file_exists($l))){
 include($l);
}else{
 echo "Lang File can't be found.";
}

<snip>

?>
What happens? The ereg function will always return TRUE and ! will negate to FALSE, causing IF to abort always. 
Why? http://www.php.net/manual/en/function.ereg.php
OK why? Simply because "." is used as symbol for "any single character".

So what happens if we "correct" the script and maintain the same technique?

<snip>
if ( (!ereg("\.\.",$l)) AND (file_exists($l)) ){
<snip>
It has the functionlity PHPSecure.org wanted (prevent a directory traversal), 
but who needs a directory traversal to access files?
So customize.php?l=../index.html would not work, but e.x. customize.php?l=/home/mywebspace_username/www/.htpasswd will work 
perfectly.

Fix
===

include/customize.php (or php3, php4.. whatever)

<?
$l = basename($l);                         # Sanitize
if ( (ereg("^lang-", $l)) AND (file_exists($l)) ){        # valid filename?
 include($l);                            # Include
}else{
 echo "Invalid language file";
 exit;
}

$langfile = $l;

<snip>

?>
This allows accessing files begining with "lang-", that are in the same directory as customize.php ("include" usually) 

Credits
=======
Eclipse at PackX.net

Regards,
Eclipse
eclipse () packx net
www.packx.net
IDScenter 1.1 RC1 and EagleX IDS environment released

--
Previous By Date Next
Previous By Thread Next

Current thread: