[VIM] Bogus - [Xoops Module Virii Info <= 1.10 (index.php) Remote File Include Exploit]
George A. Theall
theall at tenablesecurity.com
Tue Apr 3 19:08:10 UTC 2007
Looks like milw0rm 3642 from ajann is bogus, or at least dependent on
the version of Xoops -- I tested under Xoops 2.0.12, which is from June
2005, I believe.
I grabbed a copy of the module from
<http://easynews.dl.sourceforge.net/sourceforge/xoops/xoops2-mod_virii.zip>.
modules/virii/index.php has this as its first couple of executable
statements:
include ("header.php");
include("../../header.php");
include_once($xoopsConfig['root_path']."class/xoopsmodule.php");
and modules/virii/header.php has:
include("../../mainfile.php");
which includes Xoops' mainfile.php. That in turn generally includes
include/common.php and class/xoopssecurity.php and then calls
checkSuperglobals() from the latter. checkSuperglobals() makes sure
someone isn't trying to muck with various important variables, including
xoopsConfig; if so, it causes the script to die.
Now you can bypass the initial check in class/xoopssecurity.php by
setting xoopsOption[nocommon] if register_globals is enabled, but then
script execution proceeds to Xoops' main header.php and eventually to
class/template.php, at which point it stops because SMARTY_DIR is not
defined (it normally would be in include/common.php).
Apologies if this seems long-winded.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list