Bugtraq mailing list archives
PHPMyNewsLetter 0.6.11 - customize.php include problem
From: Ueli Kistler <iuk () gmx ch>
Date: Wed, 05 Feb 2003 01:08:44 +0100
Vulnerable : PHPMyNewsLetter 0.6.11 Vulnerability : Unauthorised file access Product URL : http://gregory.kokanosky.free.fr/phpmynewsletter/ Contacted : 4.2.2003 Advisory by Eclipse at packx.net, visit www.packx.net. Description ===========PHPSecure.org's "fix" broke the functionality of PHPMyNewsLetter and wouldn't fix the vulnerability of PHPMyNewsLetter even if we would write the script using ereg-function correctly (PHPSecure.org released their fix in Nov. 2002).
I. Details II. Patch III. Credits I. Details ========== How PHPSecure.org "fixed" PHPMyNewsletter: include/customize.php <? $langfile = $l; if ((!ereg("..",$l)) AND (file_exists($l))){ include($l); }else{ echo "Lang File can't be found."; } <snip> ?>What happens? The ereg function will always return TRUE and ! will negate to FALSE, causing IF to abort always.
Why? http://www.php.net/manual/en/function.ereg.php OK why? Simply because "." is used as symbol for "any single character". So what happens if we "correct" the script and maintain the same technique? <snip> if ( (!ereg("\.\.",$l)) AND (file_exists($l)) ){ <snip>It has the functionlity PHPSecure.org wanted (prevent a directory traversal),
but who needs a directory traversal to access files?So customize.php?l=../index.html would not work, but e.x. customize.php?l=/home/mywebspace_username/www/.htpasswd will work
perfectly. Fix === include/customize.php (or php3, php4.. whatever) <? $l = basename($l); # Sanitize if ( (ereg("^lang-", $l)) AND (file_exists($l)) ){ # valid filename? include($l); # Include }else{ echo "Invalid language file"; exit; } $langfile = $l; <snip> ?>This allows accessing files begining with "lang-", that are in the same directory as customize.php ("include" usually)
Credits ======= Eclipse at PackX.net Regards, Eclipse eclipse () packx net www.packx.net IDScenter 1.1 RC1 and EagleX IDS environment released --
Current thread:
- PHPMyNewsLetter 0.6.11 - customize.php include problem Ueli Kistler (Feb 05)