PHP remote file inclusion vulnerability in show_joined.php in Indiscripts Enthusiast 3.1.4, and possibly earlier, allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. NOTE: the researcher also points out the analogous directory traversal issue.
Indiscripts Enthusiast 3.1.4 and potentially earlier versions are vulnerable to a remote file inclusion (RFI) attack, allowing attackers to execute arbitrary code on the server. This vulnerability stems from a failure to properly sanitize user-supplied input, enabling attackers to inject malicious PHP code via the path parameter. Successful exploitation can lead to complete system compromise and data exfiltration.
Step 1: Craft the Payload: The attacker creates a malicious PHP script containing the desired payload (e.g., a web shell, reverse shell, or code to exfiltrate data). This script is hosted on a server controlled by the attacker.
Step 2: Construct the Exploit URL: The attacker crafts a URL that exploits the RFI vulnerability in show_joined.php. The URL includes the path parameter, set to the URL of the attacker's malicious PHP script.
Step 3: Exploit Delivery: The attacker sends the crafted URL to the vulnerable server, typically through a web browser or automated tool.
Step 4: Vulnerable Script Execution: The show_joined.php script receives the request and, due to the lack of input validation, includes the file specified by the path parameter (i.e., the attacker's malicious script).
Step 5: Payload Execution: The PHP interpreter on the server executes the attacker's malicious code, granting the attacker control over the server and potentially allowing for further exploitation, such as privilege escalation or data theft.
The vulnerability lies within the show_joined.php script of Indiscripts Enthusiast. The script fails to validate or sanitize the path parameter, which is used to include external files. This allows an attacker to specify a URL pointing to a malicious PHP script hosted on a remote server. When the vulnerable script attempts to include the attacker-controlled file, the PHP interpreter executes the malicious code, granting the attacker control over the server. The root cause is a lack of input validation and sanitization, specifically failing to check the origin or content of the file being included. This is a classic example of an RFI vulnerability, directly resulting from insecure coding practices. The directory traversal issue mentioned in the description is a secondary vulnerability that could be chained with the RFI to further compromise the system by allowing access to sensitive files.