Local File Inclusion? How to patch this

Question

Hi,

I am trying to patch my php fusion to a new vulnerability. But I don't under the vulnerability fully.

Please see here first: http://www.exploit-db.com/exploits/14647/

=================Exploit=================
maincore.php
[php]
 // Locate config.php and set the basedir path
$folder_level = ""; $i = 0;
while (!file_exists($folder_level."config.php")) {
    $folder_level .= "../"; $i++;
    if ($i == 5) { die("Config file not found"); }
}
require_once $folder_level."config.php";
define("BASEDIR", $folder_level);
[/php]
----exploit----

http://{localhost}/{path}/maincore.php?folder_level=LFI

I know what a Local File Inclusion is but how does just setting a get variable make it into the piece of code that was shown, it doesn't even make use of the get variable!!

Thanks to anyone clearing this up. I want to patch this, if there is anything to patch!

Answer 1

Its because of the register_globals setting from hell in PHP.

With that enabled the get variables are accessible directly with there name like you see in your code. where

$_GET['somevar'] 

is also

$somevar;

There is a chance it is not set on your server (it really should not) so you are probably not vulnerable to this. But if it is enabled do something about it.

And in your specific case I am pretty sure that this line

$folder_level = "";

At the begining of your script clears anything that could have been set in the url.

Answer 2

The best way to patch Local File Include (LFI) and Remote File Include (RFI) vulnerabilities is to use a white list.

$safe_folders=array("test","config","includes","special");

if(in_array($folder_level,$safe_folders)){
    require_once $folder_level."/config.php";
}

The rest of that code you posted is garbage... obviously because it was hacked and exploit code was posted to the public.