[VIM] Bogus - [Xoops Module Virii Info <= 1.10 (index.php) Remote File Include Exploit]
str0ke
str0ke at milw0rm.com
Tue Apr 3 19:41:39 UTC 2007
George,
Correcto. Removing the vulnerability.
/str0ke
On 4/3/07, George A. Theall <theall at tenablesecurity.com> wrote:
> Looks like milw0rm 3642 from ajann is bogus, or at least dependent on
> the version of Xoops -- I tested under Xoops 2.0.12, which is from June
> 2005, I believe.
>
> I grabbed a copy of the module from
> <http://easynews.dl.sourceforge.net/sourceforge/xoops/xoops2-mod_virii.zip>.
> modules/virii/index.php has this as its first couple of executable
> statements:
>
> include ("header.php");
> include("../../header.php");
> include_once($xoopsConfig['root_path']."class/xoopsmodule.php");
>
> and modules/virii/header.php has:
>
> include("../../mainfile.php");
>
> which includes Xoops' mainfile.php. That in turn generally includes
> include/common.php and class/xoopssecurity.php and then calls
> checkSuperglobals() from the latter. checkSuperglobals() makes sure
> someone isn't trying to muck with various important variables, including
> xoopsConfig; if so, it causes the script to die.
>
> Now you can bypass the initial check in class/xoopssecurity.php by
> setting xoopsOption[nocommon] if register_globals is enabled, but then
> script execution proceeds to Xoops' main header.php and eventually to
> class/template.php, at which point it stops because SMARTY_DIR is not
> defined (it normally would be in include/common.php).
>
> Apologies if this seems long-winded.
>
> George
> --
> theall at tenablesecurity.com
>
More information about the VIM
mailing list