----------------------------------------------------------------------
...
if (file_exists("themes/$ThemeSel/modules/$name/$mod_file.php"))
{
$modpath = "themes/$ThemeSel/";
}
$modpath .= "modules/$name/$mod_file.php";
if (file_exists($modpath))
{
include($modpath);
}
else
{
...
----------------------------------------------------------------------
What we can see, is that IF selected theme has not customized module file, then path
to default module file will be concatenated to variable $modpath:
$modpath .= "modules/$name/$mod_file.php";
Hmm, it seems, that $modpath is not initialized at all on those conditions...
Let's test it in real world:
http://localhost/nuke73/index.php?modpath=foobar
And what we can see:
"There is a problem right now on the Homepage. Please check back later."
Yes, yes, yes, it works! But now comes bad news for all potential attackers (and good
news for website admins): you see the code "if (file_exists($modpath))"?
This checking routine will fail our attempt to remote file inclusion on most of the
servers. Why "most", not "all"? For answer let's look at php manual (RTFM!!!):
