[VIM] 30110: mp3SDS Core/core.inc.php fullpath Variable Remote File Inclusion (fwd)
security curmudgeon
jericho at attrition.org
Sat Dec 2 18:47:24 EST 2006
---------- Forwarded message ----------
From: Michael David
To: moderators at osvdb.org
Date: Sat, 2 Dec 2006 17:27:24 -0600
Reply-To: moderators at osvdb.org
Subject: [OSVDB Mods] [Change Request] 30110: mp3SDS Core/core.inc.php fullpath
Variable Remote File Inclusion
Greetings.
I am a developer on the mp3SDS project. I'm writing to indicate that
version 3.1 of mp3SDS (releasing today) includes this bugfix.
Additionally, I've attached to this email a unified patch which corrects
the issue for 3.0, as well as a by-hand quick fix.
I do wish someone would've emailed me earlier. The developer address
listed in the README file was never notified until today of this issue,
and then by a friend and not anyone in the security industry.
Thanks,
Michael David
--
Michael A. David --
Student, Programmer, Geek, Citizen
"We are not now that strength which in old days moved earth and heaven; that
which we are, we are; One equal temper of heroic hearts, made weak by time and
fate, but strong in will to strive, to seek, to find, and not to yield."
--Alfred, Lord Tennyson.
-------------- next part --------------
--- Core/core.inc.php 19 Jul 2006 05:24:31 -0000 1.15
+++ Core/core.inc.php 2 Dec 2006 23:18:43 -0000
@@ -1,4 +1,14 @@
<?
+// Copy certain _SERVER superglobals to the global namespace,
+// so we can access this information on diff versions of PHP.
+if($HTTP_HOST == '') $HTTP_HOST=$_SERVER['HTTP_HOST'];
+if($PHP_SELF == '') $PHP_SELF=$_SERVER['PHP_SELF'];
+
+// 20061202 - Security Fix - http://secunia.com/advisories/22605
+if(stripos($PHP_SELF,'core.inc.php')!==false) {
+ die('Core should *never* be called directly.');
+}
+
// version and cookie (seperate cookie per version)
$mp3sds_version='3.0';
$cookie_name='mp3SDS_'.str_replace('.','_',$mp3sds_version);
@@ -42,10 +52,6 @@
foreach($_REQUEST as $key => $value)
$$key = $value;
- // Copy certain _SERVER superglobals to the global namespace.
- if($HTTP_HOST == '') $HTTP_HOST=$_SERVER['HTTP_HOST'];
- if($PHP_SELF == '') $PHP_SELF=$_SERVER['PHP_SELF'];
-
// If the user hasn't been here yet, set their current path to the mp3 folder.
if(!$base_dir) $base_dir="$location";
-------------- next part --------------
Quick Fix for mp3SDS 3.0 Core/core.inc.php File Inclusion exploit:
(place the lines between the <snip> tag into the top of core.inc.php):
---- <snip> -----
if($HTTP_HOST == '') $HTTP_HOST=$_SERVER['HTTP_HOST'];
if($PHP_SELF == '') $PHP_SELF=$_SERVER['PHP_SELF'];
if(stripos($PHP_SELF,'core.inc.php')!==false) { die('Denied'); }
---- <snip> -----
Other options are to apply the official patch, or to upgrade mp3SDS to
version 3.1.
More information about the VIM
mailing list