[VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability

[George A. Theall]

On 03/15/07 15:44, Ferdy Riphagen wrote:

> html/content.php contains:
> <?
> $c_category = !isset($c_category)? "":$c_category;
> include "./basepath.php";
> $c_module = "content";
> include "$c_basepath/base/groupit.start.inc";
..
> After normal install basepath.php has (my case)
> <?
> $c_basepath = "/chroot/apache2/www/test/groupit/groupit";
> $c_block_cache = 1;
> ?>
> 
> I couldn't find load.inc.php, userprofile.php, dispatch.php (or I need 
> some sleep)

I haven't set it up, but looking at the code in 
groupit/base/groupit.start.inc I see it registers any global variables 
passed in if register_globals is disabled or magic_quotes_gpc is 
enabled; eg,

   if (!get_cfg_var("register_globals") || (get_magic_quotes_gpc()))
   {
      /* Register our own global variables when register_globals in 
php.ini is disabled. */
      reset($HTTP_ENV_VARS);
      reset($HTTP_GET_VARS);
      reset($HTTP_POST_VARS);
      reset($HTTP_COOKIE_VARS);
      reset($HTTP_SERVER_VARS);
      while (list ($key, $val) = each ($HTTP_POST_FILES)) 
$GLOBALS[$key]=$val;
      while (list ($key, $val) = each ($HTTP_ENV_VARS)) $GLOBALS[$key]=$val;
      while (list ($key, $val) = each ($HTTP_GET_VARS)) 
$GLOBALS[$key]=stripslashes($val);
      while (list ($key, $val) = each ($HTTP_POST_VARS)) 
$GLOBALS[$key]=stripslashes($val);
      while (list ($key, $val) = each ($HTTP_COOKIE_VARS)) 
$GLOBALS[$key]=$val;
      while (list ($key, $val) = each ($HTTP_SERVER_VARS)) 
$GLOBALS[$key]=$val;

So while I don't know about the missing files, it does seem that an 
attacker may be able to overwrite $c_basepath, which will then be used 
further down in this file to include at least two files.


George
-- 
theall at tenablesecurity.com