Vanilla Forum p Parameter Local File Inclusion

medium Nessus Plugin ID 54614

Synopsis

The remote web server hosts a PHP script that's affected by a local file inclusion vulnerability.

Description

The remote web server hosts Vanilla Forums, an open source forum software written in PHP.

The installed version of Vanilla Forums uses a '/' character in the '_AnalyzeRequest()' method in 'library/core/class.dispatcher.php' to separate input passed via the 'p' parameter of the 'index.php' script into a directory and controller name and then uses the former in a PHP 'require_once()' function call in the '_FetchController()' method in the same class library.

When Vanilla is installed on a Windows host, an unauthenticated, remote attacker can use '\' as an alternate directory separator in directory traversal sequences in order control the directory as well as the initial part of the file to be used in that 'require_once()' call.
This can allow the attacker to view arbitrary files or possibly to execute arbitrary PHP code, subject to the privileges under which the web server operates.

Solution

Unknown at this time.

See Also

http://www.nessus.org/u?8606f33c

http://www.nessus.org/u?dc922728

Plugin Details

Severity: Medium

ID: 54614

File Name: vanilla_p_lfi.nasl

Version: 1.13

Type: remote

Family: CGI abuses

Published: 5/23/2011

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 5/14/2011

Exploitable With

Elliot (Vanilla Forums 2.0.17.9 LFI)

Reference Information

BID: 47873