File Inclusion Vulnerability

BoonEx Ray "sIncPath" Remote PHP File Inclusion Vulnerability

A vulnerability has been identified in BoonEx Ray, which could be exploited by remote attackers to compromise a vulnerable web server. This issue is caused by an input validation error in the "modules/global/inc/content.inc.php" script when processing the "sIncPath" parameter, which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server.

This is happening to me with Dolphin 6.1.4

Check http://www.frsirt.com/english/advisories/2008/2033 for info

Description:
RoMaNcYxHaCkEr has reported a vulnerability in Ray, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system.

Input passed to the "sIncPath" parameter in modules/global/inc/content.inc.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability is reported in version 3.5. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
RoMaNcYxHaCkEr

Source: http://secunia.com/advisories/30999/

Hello!

"Successful exploitation requires that "register_globals" is enabled." So in new versino we'll add more checking for mention variable and add reminder about register globals to the install and header files of Dolphin like safe_mode checking. It will necessary option for uing Dolphin from 6.2 because our recomendations from Trac usually are ignored in such keys.

Regard

This isn't a Ray or Dolphin Vulnerability, anytime you enable register_globals you present a security risk.

You should do your best to write your scripts so that they do not require register_globals to be on;  Using form variables as globals can easily lead to possible security problems, if the code is not very well thought out.

Thanks for the reply. Register globals was off but these lines where missing from files as stated by Sammie, 3 months ago. You should have added the lines to Dolphin 6.1.4:

------------------------SAMMIE'S FIX--------------------

i did post a fix long back for this 3 months ago

add the fllowing code to your ray/modules/global/inc/content.inc.php

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

so it looks like this :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");

this stops any remote includes being used

next edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

so it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

this stops remote access to your directories