Ray 3.5 "sIncPath" File Inclusion Vulnerability

hd4real posted 9th of October 2008 in Community Voice. 7 comments.

Description: RoMaNcYxHaCkEr has reported a vulnerability in Ray, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Input passed to the "sIncPath" parameter in modules/global/inc/content.inc.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources. Successful exploitation requires that "register_globals" is enabled. The vulnerability is reported in version 3.5. Other versions may also be affected. Solution: Edit the source code to ensure that input is properly verified. Provided and/or discovered by: RoMaNcYxHaCkEr

Source: http://secunia.com/advisories/30999/

 
Comments
·Oldest
·Top
Please login to post a comment.
hd4real
hd4real9th of October 2008
 
Hack even works with "register_globals" off. I have mine off and got hacked anyway.
PermalinkReplyPlus0 pluses
sammie
sammie9th of October 2008
 
i did post a fix long back for this 3 months ago



add the fllowing code to your ray/modules/global/inc/content.inc.php

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

so it looks like this :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");

this see more stops any remote includes being used

next edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

so it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

this stops remote access to your directories
PermalinkReplyPlus0 pluses
hd4real
hd4real10th of October 2008to sammie
 
Thanks Sammie, I missed your post from 3 months ago.
PermalinkReplyPlus0 pluses
sammie
sammie10th of October 2008
 
you're welcome sweetie.
just for anyone that wants to know, i believe the first part can be placed in any file that has the "require_once($sIncPath..." in it.
this fix is for all versions of dolphin 5.6 to date
this fix will not affect anything within Dolphin, but if you have added google maps, then it would affect that, and other things you may have added that are not part of Dolphin and being called from outside your server

add it at the top above the 1st require once command

if see more (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

so it looks like this :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "whatever is here");
PermalinkReplyPlus0 pluses
praveenkv1988
praveenkv198810th of October 2008
 
This file inclusion attack was fixed in version 6.1.3

I have found another security issue. I am working on it. Soon I will post the solution here.
PermalinkReplyPlus0 pluses
mshehi
mshehi29th of October 2008
 
I used Sammie's fix and got the following error when I try to navigate to my site (ver 6.1.4):

Parse error: syntax error, unexpected T_VARIABLE, expecting ',' or ';' in /homepages/8/*/htdocs/*/family/ray/modules/global/inc/content.inc.php on line 228

Any Ideas?
PermalinkReplyPlus0 pluses
kepnoorg
kepnoorg14th of April 2009
 
I acknowledge Inclusion ver 6.1.4
PermalinkReplyPlus0 pluses
 
 
Home
Features
Pricing
Hosting
Support
About
StartDemo
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.

Blogs

Dolphin.Pro News
BoonEx News
Our Journey
Social Software World
Community Voice

Help

Support Forums
Documentation
BoonEx at GitHub
Custom Jobs
Contact Support Team

Product

Dolphin.Pro Features
Live Demo & Sandbox
Download Packages
Pricing & Order
Contact Sales Team

Company

Contact Us
About BoonEx
Privacy Policy
Terms & Conditions
© BoonEx Pty Ltd
SSL
© BoonEx
Home
Features
Pricing
Support
Hosting
About
Demo
PET:0.057056188583374