[VIM] CVE dispute - phpAdsNew PHP file inclusion

[Heinbockel, Bill]

Researcher - CrackersChild (* he's back!! *)
BUGTRAQ:20061207 phpAdsNew-2.0.4-pr2 Remote File Inclusion Exploit
http://www.securityfocus.com/archive/1/archive/1/453773/100/0/threaded

Hidden in the supplied exploit script:

$req = HTTP::Request->new(GET
=>$Path.'admin/ib-maintenance.inc.php?phpAds_path='.$Pathtocmd.'?&'.$cm
d
v.'='.$cmd)or die "\nCould Not connect\n";

In the referenced product download, phpAdsNew-2.0.4-pr2
there is no file named "ib-maintenance.inc.php", however
there is a file "admin/lib-maintenance.inc.php". Okay, a
typo...

However, the first lines of admin/lib-maintenance.inc.php reads:

> @include (phpAds_path.'/language/english/maintenance.lang.php');
> if ($phpAds_config['language'] != 'english' &&
file_exists(phpAds_path.'/language/'.$phpAds_config['language'].'/maint
enance.lang.php'))
>     @include
(phpAds_path.'/language/'.$phpAds_config['language'].'/maintenance.lang
.php');

So, phpAds_path is a constant and can't be set via a GET parameter.


William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615