SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  phpMyNewsletter Vendors:  Kokanosky, Gregory
phpMyNewsletter 'customize.php' Include File Bug Discloses Files to Remote Users
SecurityTracker Alert ID:  1006136
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 20 2003
Impact:  Disclosure of system information, Disclosure of user information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 0.6.11 and prior versions; 0.7 beta
Description:  A vulnerability was reported in phpMyNewsletter. A remote user can view arbitrary files on the system.

It is reported that a remote user can request that specific files on the system be included using the 'customize.php' script. Files that are readable by the web server process can be viewed by the remote user.

A demonstration exploit is provided:

customize.php?l=/etc/passwd
Impact:  A remote user can view arbitrary known files on the system with the privileges of the web server process.
Solution:  The vendor has released a fixed version (0.6.12), available at:

http://gregory.kokanosky.free.fr/phpmynewsletter/?page=download
Vendor URL:  gregory.kokanosky.free.fr/phpmynewsletter/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  support@securiteam.com
Message History:   None.

 Source Message Contents
Date:  20 Feb 2003 20:45:01 +0200
From:  support@securiteam.com
Subject:  [UNIX] Unauthorized File Access Vulnerability Found in phpMyNewsletter

 

The following security advisory is sent to the securiteam mailing list, and can be found at the Secur
iTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure, 
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -



  Unauthorized File Access Vulnerability Found in phpMyNewsletter
------------------------------------------------------------------------


SUMMARY

 <http://gregory.kokanosky.free.fr/phpmynewsletter/> phpMyNewsletter is a 
newsletter management script written in PHP. A security hole allowing 
unauthorized access to arbitrary files (for example /etc/passwd) has been 
found in the product. The vulnerability occurs even after the patch by  
<http://www.securiteam.com/unixfocus/6U0011P5QQ.html> phpsecure.org has 
been applied.

DETAILS

Vulnerable versions:
 * phpMyNewsletter version 0.6.11 and prior 
 * phpMyNewsletter version 0.7 (beta)

Immune versions:
 * phpMyNewsletter version 0.6.12 and above

The patch fix was 

---from /include/customize.php -----------------

<?
 $langfile = $l;
 if ((!ereg("..",$l)) AND (file_exists($l))){
  include($l);
 }else{
  echo "Lang File can't be found.";
 }

<snip>

?>
--------------------------------------------------------
This patch caused the code to cease functioning as it should:

ereg ("..", $l) will return always TRUE, therefore !ereg ("..",$l) will 
return FALSE.
This problem occurs because "." is evaluated as a regular expression whose 
value is any single character.
See  <http://www.php.net/manual/en/function.ereg.php> Ereg Function for 
more details.

To fix the problem:


if ( (!ereg("\.\.",$l)) AND (file_exists($l)) ){


Taking the literal value of "." seems to solve this problem, but although 
customize.php?l=../index.html would not work,  customize.php?l=/etc/passwd 
will work (there is no need for directory traversal to access arbitrary 
files).

The Workaround:
<?
 $l = basename($l);                         # Sanitize
 if ( (ereg("^lang-", $l)) AND (file_exists($l)) ){        # valid 
filename?
  include($l);                            # Include
 }else{
  echo "Invalid language file";
  exit;
 }

 $langfile = $l;

 

 ?>

This will allow access only to files which are located in the same 
directory as customize.php (usually /include) and begin with lang-.


Patch:
There is a patch available at the phpMyNewsletter site:
 <http://gregory.kokanosky.free.fr/phpmynewsletter/download.php3?id=42> 
http://gregory.kokanosky.free.fr/phpmynewsletter/download.php3?id=42


ADDITIONAL INFORMATION

This information has been provided by  <mailto:eclipse@packx.net> Eclipse



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@secu
riteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.co
m 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, con
sequential, loss of business
 profits or special damages.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC