[VIM] True: XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability

George A. Theall theall at tenablesecurity.com
Wed Jun 13 17:43:12 UTC 2007


Just an FYI... Milw0rm 4068 works but requires authentication. The code 
in modify.php starts out like this:

   include '../../mainfile.php';

   $dir_module = XOOPS_ROOT_PATH.'/modules/'.$xoopsModule->dirname();
   include_once "$dir_module/conf.php";
   include_once "$dir_module/include/groupaccess.php";^M
   include_once "$dir_module/class/common.php";^M
   include_once "$dir_module/class/wfscategory.php";^M
   include_once "$dir_module/class/wfsarticle.php";^M
   include_once "$dir_module/class/wfsfiles.php";^M

so initially it looked like the attack wouldn't work. Turns out, though, 
that it calls 'class/wfsarticle.php', which in turn calls 
'include/wysiwygeditor.php', which contains this little nugget:

   foreach ($HTTP_POST_VARS as $k => $v) {
           ${$k} = $v;
   }

   foreach ($HTTP_GET_VARS as $k => $v) {
           ${$k} = $v;
   }

At this point, the attacker's got control over dir_module, which then 
comes into play when trying to include wfsfiles.php.


George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list