[VIM] Bogus - [Xoops Module Virii Info <= 1.10 (index.php) Remote File Include Exploit]

George A. Theall theall at tenablesecurity.com
Tue Apr 3 19:08:10 UTC 2007

Looks like milw0rm 3642 from ajann is bogus, or at least dependent on 
the version of Xoops -- I tested under Xoops 2.0.12, which is from June 
2005, I believe.

I grabbed a copy of the module from 
modules/virii/index.php has this as its first couple of executable 

   include ("header.php");

and modules/virii/header.php has:


which includes Xoops' mainfile.php. That in turn generally includes 
include/common.php and class/xoopssecurity.php and then calls 
checkSuperglobals() from the latter. checkSuperglobals() makes sure 
someone isn't trying to muck with various important variables, including 
xoopsConfig; if so, it causes the script to die.

Now you can bypass the initial check in class/xoopssecurity.php by 
setting xoopsOption[nocommon] if register_globals is enabled, but then 
script execution proceeds to Xoops' main header.php and eventually to 
class/template.php, at which point it stops because SMARTY_DIR is not 
defined (it normally would be in include/common.php).

Apologies if this seems long-winded.

theall at tenablesecurity.com

More information about the VIM mailing list