[VIM] 30110: mp3SDS Core/core.inc.php fullpath Variable Remote File Inclusion (fwd)

security curmudgeon jericho at attrition.org
Sat Dec 2 18:47:24 EST 2006 


---------- Forwarded message ----------
From: Michael David
To: moderators at osvdb.org
Date: Sat, 2 Dec 2006 17:27:24 -0600
Reply-To: moderators at osvdb.org
Subject: [OSVDB Mods] [Change Request] 30110: mp3SDS Core/core.inc.php fullpath
     Variable Remote File Inclusion

Greetings.

I am a developer on the mp3SDS project.  I'm writing to indicate that
version 3.1 of mp3SDS (releasing today) includes this bugfix.
Additionally, I've attached to this email a unified patch which corrects
the issue for 3.0, as well as a by-hand quick fix.

I do wish someone would've emailed me earlier.  The developer address
listed in the README file was never notified until today of this issue,
and then by a friend and not anyone in the security industry.

Thanks,
Michael David

-- 
Michael A. David --
Student, Programmer, Geek, Citizen

"We are not now that strength which in old days moved earth and heaven; that
which we are, we are; One equal temper of heroic hearts, made weak by time and
fate, but strong in will to strive, to seek, to find, and not to yield."
--Alfred, Lord Tennyson.

-------------- next part --------------
--- Core/core.inc.php	19 Jul 2006 05:24:31 -0000	1.15
+++ Core/core.inc.php	2 Dec 2006 23:18:43 -0000
@@ -1,4 +1,14 @@
 <?
+// Copy certain _SERVER superglobals to the global namespace,
+// so we can access this information on diff versions of PHP.
+if($HTTP_HOST == '') $HTTP_HOST=$_SERVER['HTTP_HOST'];
+if($PHP_SELF == '')  $PHP_SELF=$_SERVER['PHP_SELF'];
+
+// 20061202 - Security Fix - http://secunia.com/advisories/22605
+if(stripos($PHP_SELF,'core.inc.php')!==false) {
+	die('Core should *never* be called directly.');
+}
+
 // version and cookie (seperate cookie per version)
 $mp3sds_version='3.0';
 $cookie_name='mp3SDS_'.str_replace('.','_',$mp3sds_version);
@@ -42,10 +52,6 @@
 	foreach($_REQUEST as $key => $value)
 			$$key = $value;
 	
-	// Copy certain _SERVER superglobals to the global namespace.
-	if($HTTP_HOST == '') $HTTP_HOST=$_SERVER['HTTP_HOST'];
-	if($PHP_SELF == '')  $PHP_SELF=$_SERVER['PHP_SELF'];
-
 	// If the user hasn't been here yet, set their current path to the mp3 folder.
 	if(!$base_dir) $base_dir="$location";
 
-------------- next part --------------
Quick Fix for mp3SDS 3.0 Core/core.inc.php File Inclusion exploit:
(place the lines between the <snip> tag into the top of core.inc.php):

---- <snip> -----
if($HTTP_HOST == '') $HTTP_HOST=$_SERVER['HTTP_HOST'];
if($PHP_SELF == '')  $PHP_SELF=$_SERVER['PHP_SELF'];
if(stripos($PHP_SELF,'core.inc.php')!==false) { die('Denied'); }
---- <snip> -----

Other options are to apply the official patch, or to upgrade mp3SDS to 
version 3.1.

More information about the VIM mailing list