[VIM] True: XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
George A. Theall
theall at tenablesecurity.com
Wed Jun 13 17:43:12 UTC 2007
Just an FYI... Milw0rm 4068 works but requires authentication. The code
in modify.php starts out like this:
include '../../mainfile.php';
$dir_module = XOOPS_ROOT_PATH.'/modules/'.$xoopsModule->dirname();
include_once "$dir_module/conf.php";
include_once "$dir_module/include/groupaccess.php";^M
include_once "$dir_module/class/common.php";^M
include_once "$dir_module/class/wfscategory.php";^M
include_once "$dir_module/class/wfsarticle.php";^M
include_once "$dir_module/class/wfsfiles.php";^M
so initially it looked like the attack wouldn't work. Turns out, though,
that it calls 'class/wfsarticle.php', which in turn calls
'include/wysiwygeditor.php', which contains this little nugget:
foreach ($HTTP_POST_VARS as $k => $v) {
${$k} = $v;
}
foreach ($HTTP_GET_VARS as $k => $v) {
${$k} = $v;
}
At this point, the attacker's got control over dir_module, which then
comes into play when trying to include wfsfiles.php.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list