HomeUnityBlogs
 
 
hd4real

Ray 3.5 "sIncPath" File Inclusion Vulnerability

Description: RoMaNcYxHaCkEr has reported a vulnerability in Ray, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Input passed to the "sIncPath" parameter in modules/global/inc/content.inc.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources. Successful exploitation requires that "register_globals" is enabled. The vulnerability is reported in version 3.5. Other versions may also be affected. Solution: Edit the source code to ensure that input is properly verified. Provided and/or discovered by: RoMaNcYxHaCkEr

Source: http://secunia.com/advisories/30999/

bad
0
good
 
 

Comments

hd4real
hd4real 91 days agocomment permalink
  
Hack even works with "register_globals" off. I have mine off and got hacked anyway.
 
bad
-1
good
 
 
sammie
sammie 90 days agocomment permalink
  
i did post a fix long back for this 3 months ago



add the fllowing code to your ray/modules/global/inc/content.inc.php

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

so it looks like this :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");

this stops any remote includes being used

next edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

so it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

this stops remote access to your directories
 
bad
0
good
 
View 1 replies to this comment
 
sammie
sammie 90 days agocomment permalink
  
you're welcome sweetie.
just for anyone that wants to know, i believe the first part can be placed in any file that has the "require_once($sIncPath..." in it.
this fix is for all versions of dolphin 5.6 to date
this fix will not affect anything within Dolphin, but if you have added google maps, then it would affect that, and other things you may have added that are not part of Dolphin and being called from outside your server

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

so it looks like this :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "whatever is here");
 
bad
0
good
 
 
praveenkv1988
praveenkv1988 90 days agocomment permalink
  
This file inclusion attack was fixed in version 6.1.3

I have found another security issue. I am working on it. Soon I will post the solution here.
 
bad
0
good
 
 
mshehi
mshehi 71 days agocomment permalink
  
I used Sammie's fix and got the following error when I try to navigate to my site (ver 6.1.4):

Parse error: syntax error, unexpected T_VARIABLE, expecting ',' or ';' in /homepages/8/*/htdocs/*/family/ray/modules/global/inc/content.inc.php on line 228

Any Ideas?
 
bad
0
good
 
 


Post a Comment

Please login to post a comment.

This Post
 
 
hd4real Blog
All Blogs
Found a bug? Have a suggestion? We really value your feedback!
 
 
Home  Products  Unity  Trac  About  Help  Contact  Privacy Policy  Terms of Use  Rules  RSS Feed  Blog
© 2008 BoonEx Ltd
ABN 27 127 966 581
 
PET:0.687957048416