Ray 3.5 "sIncPath" File Inclusion Vulnerability

hd4real posted 9th of October 2008 in Community Voice. 7 comments.

Description: RoMaNcYxHaCkEr has reported a vulnerability in Ray, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Input passed to the "sIncPath" parameter in modules/global/inc/content.inc.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources. Successful exploitation requires that "register_globals" is enabled. The vulnerability is reported in version 3.5. Other versions may also be affected. Solution: Edit the source code to ensure that input is properly verified. Provided and/or discovered by: RoMaNcYxHaCkEr

Source: http://secunia.com/advisories/30999/

 
Comments
·Oldest
·Top
Please login to post a comment.
hd4real
Hack even works with "register_globals" off. I have mine off and got hacked anyway.
sammie
i did post a fix long back for this 3 months ago



add the fllowing code to your ray/modules/global/inc/content.inc.php

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

so it looks like this :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");

this see more stops any remote includes being used

next edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

so it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

this stops remote access to your directories
hd4real
Thanks Sammie, I missed your post from 3 months ago.
sammie
you're welcome sweetie.
just for anyone that wants to know, i believe the first part can be placed in any file that has the "require_once($sIncPath..." in it.
this fix is for all versions of dolphin 5.6 to date
this fix will not affect anything within Dolphin, but if you have added google maps, then it would affect that, and other things you may have added that are not part of Dolphin and being called from outside your server

add it at the top above the 1st require once command

if see more (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

so it looks like this :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "whatever is here");
praveenkv1988
This file inclusion attack was fixed in version 6.1.3

I have found another security issue. I am working on it. Soon I will post the solution here.
mshehi
I used Sammie's fix and got the following error when I try to navigate to my site (ver 6.1.4):

Parse error: syntax error, unexpected T_VARIABLE, expecting ',' or ';' in /homepages/8/*/htdocs/*/family/ray/modules/global/inc/content.inc.php on line 228

Any Ideas?
kepnoorg
I acknowledge Inclusion ver 6.1.4
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.053263902664185