Explanation:
When register_globals = on, it is possible to modify the included adodb scripts by using local files.
The vulnerability is caused because of a non initialised variable ($include_path) which can easily be injected by passing the variable to the script from the web.
Thanks to the usage of realpath() this vulnerability is limited to a local level, so only people who has enough server access to create two malicious scripts can take advantage of this bug.
Results of abuse:
This vulnerability can be used to retrieve the password of the mysql account being used by the system.
Affected files:
gui/include/sql.php
Affected versions:
RC1, RC2. Prior versions may also be affected.
It is most likely all the installations are affected because register_globals = on is required to get the files manager working due to it's bad codding.
Exploit:
Opening http://domain.tld/vhcs2/include/sql.php?include_path=/path/to/directory/with/malicious/scripts
Where /path/to/directory/with/malicious/ is a directory which contains at least /adodb/adodb.inc.php and /adodb/adodb-pager.inc.php
Those scripts can eventually load the rest of the panel scripts and emulate the ADONewConnection and $sql->Connect functions and retrieve the password being used to connect to the sql database.
Fix:
The fix used in VHCS (which isn't affected by this vulnerability) is to call $include_path = realpath(dirname(_ _FILE_ _)); right before the scripts inclusion. Even tough this is enough to fix the vulnerability, I recommend replacing the usage of include_once() in all the scripts with a simple require(). If the code is designed correctly there's no real reason to make use of require_once which in a possible files inclusion could even continue the script execution instead of stopping.
An other way to prevent any other attack of this kind, I recommend on all the included files that shouldn't be called directly to verify the existence of a constant which should be defined by the script that is directly called.
