[Full-Disclosure] Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7

Majest FistFuXXer at gmx.de
Sun Feb 6 15:38:30 GMT 2005 

Title:   Local *.php file inclusion and full path disclosure in BXCP <= 
0.2.9.7
Author:  [OfB|FistFucker]
Contact: http://www.ofb-clan.de/
         #ofb-clan at irc.quakenet.org:6667


 1. Local *.php file inclusion:
---------------------------------

 Because of no user input validation in 'index.php' it's possible to include
 every local *.php file. Let's take a look at the most important part of the
 source code:

  ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~

   $show = $_REQUEST['show'];
   require ("config.php");

   if (!file_exists("show/$show.php"))
   {
     $notfound = $show;
     $show = 'error';
   }

   $page = "show/$show.php";

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~

  Yeah, there is no validation of the variable '$show'. So we can easily 
access
  every local file ending with '.php', also in restricted directories like
  htaccess. We can easily jump outside the 'show' directory and include 
every
  file ending with '.php'!

  Example URL: http://www.rz-liga.com/index.php?show=../intern/board/common

  Don't worry about the response "Hacking attempt". It's just a die() 
message
  from 'common.php' of their htaccess protected phpBB. ;-)


 2. Full path disclosure:
---------------------------

  And by including the 'index.php' into itself with the above vulnerability 
we
  can cause a full path disclosure.

  Example URL: http://www.rz-liga.com/index.php?show=../index


 3. Let's fix that shit! =)
-----------------------------

  Just replace in 'index.php':

  ~~ SOURCE CODE ~~~~~~~~~~~~~~~~~~~~~~~~

   $show = $_REQUEST['show'];

   if(ereg("\.\.", $show))
   {
     $show = '';
   }

   require ("config.php");

   if (!file_exists("show/$show.php"))
   {
     $notfound = $show;
     $show = 'error';
   }

   $page = "show/$show.php";

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ END ~~


 4. Greetings:
----------------

  Greetings fly out to all members of OfB-Clan that know me. And sorry for 
the
  events that occured at and after the 25th December. Please forgive me and
  please stop seeing me as a criminal kiddie. Better see me as a guardian! 
=D

Full-Disclosure is hosted and sponsored by Secunia.