SECURITY ISSUE: phpCoin Remote File Include Vuln

cmeisinger

Registered
Nov 29, 2004
3
0
151
The version of PHPCoin that comes with Fantastico is vulnerable to a remote file include vulnerability. What this means is that you can have an attacker essentially pull a file from another server and execute it on your server via PHPCoin.

Please see: http://downloads.securityfocus.com/vulnerabilities/exploits/phpCOIN1.2.3_fi_poc.txt

Now, to the best of my knowledge, you should never ever have anyone posting content to that file. So for those of us smart enough to run mod_security, toss this in your modsecurty configuration.



SecFilter "PKG_PATH_INCL"



That should take care of it until Fantastico/PHPCoin releases an update.

Chris Meisinger
WingSix Hosting
www.wingsix.com


edit: Thanks to HalB on the cPanel IRC Channel for pointing this out to me.

Edit part 2: After a bit of playing with phpCoin, this can be executed through apparently any script in the coin_includes directory, so I've updated the modsec rule to filter that. Beforehand I was just filtering on a single file, now i'm just 403ing everything that uses the PKG_PATH_INCL var in the URL. I can't think of any good reason to include a var like that in a URL. heh
 
Last edited: