• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: phpSecurePages Included File Arbitrary Command Execution Vulnerability

Severity: HIGH

Description:

phpSecurePages is a PHP module to secures pages with a login name and password.

An input validation error exists that could enable remote users to cause the 'interface.php' script used by phpSecurePages to be loaded from an arbitrary location.

The problem is the result of how files are loaded by the 'checklogin.php' script. A variable named 'cfgProgPath' is used to define the path of the 'interface.php' configuration data file and is passed directly as part the include() statement used to load that file. Because the PHP interpreter creates and names variables the same as the element names in a query, it is possible to assign an arbitrary value to the 'cfgProgPath' variable.

PHP contains support for and allows by default the inclusion of remote files using the include() statement. The path to remote files is specified using a HTTP or FTP URL.

As a result, it is possible for a remote user to specify the URL of a site containing a malicious 'interface.php' file as the 'cfgProgPath' variable. This will cause any code in the file to be executed by the checklogin.php script on the site running phpSecurePages, with the privileges of the webserver.

Affected Products:

• phpSecurePages phpSecurePages 0.11.0beta
• phpSecurePages phpSecurePages 0.12.0beta
• phpSecurePages phpSecurePages 0.13.0beta
• phpSecurePages phpSecurePages 0.14.0beta
• phpSecurePages phpSecurePages 0.15.0beta
• phpSecurePages phpSecurePages 0.16.0beta
• phpSecurePages phpSecurePages 0.17.0beta
• phpSecurePages phpSecurePages 0.18.0beta
• phpSecurePages phpSecurePages 0.19.0beta
• phpSecurePages phpSecurePages 0.20.0beta
• phpSecurePages phpSecurePages 0.21.0beta
• phpSecurePages phpSecurePages 0.22.0beta
• phpSecurePages phpSecurePages 0.23.0beta
• phpSecurePages phpSecurePages 0.24.0beta

References:

• phpSecurePages: phpSecurePages Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.