CPG Dragonfly CMS install.php newlang Variable Local File Inclusion

2006-02-08T09:01:10
ID OSVDB:23058
Type osvdb
Reporter rgod(retrogod@aliceposta.it)
Modified 2006-02-08T09:01:10

Description

Vulnerability Description

CPG-Nuke Dragonfly CMS contains a flaw that allows a remote attacker to include outside of the web path. The issue is due to the install.php not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the 'newlang' variable. This flaw permits the inclusion of files controlled by remote user input, which may be leveraged to execute arbitrary code, resulting in a loss of integrity.

Technical Description

There are at least two ways described for arbitrary users to create input. The first is to send a request that would be logged in the error log. The second would be to upload a malicious PNG image (permitted by default for authenticated users).

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has released a patch to address this vulnerability.

Short Description

CPG-Nuke Dragonfly CMS contains a flaw that allows a remote attacker to include outside of the web path. The issue is due to the install.php not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the 'newlang' variable. This flaw permits the inclusion of files controlled by remote user input, which may be leveraged to execute arbitrary code, resulting in a loss of integrity.

Manual Testing Notes

http://[target]/[path]/install.php?newlang=../../cpg_error.log%00

References:

Vendor Specific News/Changelog Entry: http://dragonflycms.org/Forums/viewtopic/p=98034.html#98034 Security Tracker: 1015601 Related OSVDB ID: 23060 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0139.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0126.html CVE-2006-0644