Remote File Disclosure in phpCMS 1.2.2

Type securityvulns
Reporter Securityvulns
Modified 2008-01-29T00:00:00


Digital Security Research Group [DSecRG] Advisory #DSECRG-08-005

Application: phpCMS Versions Affected: 1.2.2 Vendor URL: Bug: Remote File Disclosure, Get admin password Exploits: YES Reported: 10.01.2008 Vendor response: 12.01.2008 Date of Public Advisory: 29.01.2008 Authors: Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)


phpCMS system has remote File Disclosure vulnerability in page /parser/include/class.cache_phpcms.php


Attacer can read any files in web directory.

In file parser/parser.php include class.cache_phpcms.php

    // Load the i18n Handler
    if (isset ($_GET ['file']) && isset($DEFAULTS->I18N) && 'on' == $DEFAULTS->I18N) {
            $I18N = &new i18n;

In file class.cache_phpcms.php function GetFile() parse URL and return full file name or default value. Function checks file extension but does't check for null byte injection.

To read file attacker must append a valid extension with null byte to file like a "%00.gif" or smth.

// filequery exists, but filename is empty? -> set the defaultvalue for filename if(!stristr($temp, $DEFAULTS->PAGE_EXTENSION) AND !stristr($temp, '.gif') AND !stristr($temp, '.png') AND !stristr($temp, '.jpg') AND !stristr($temp, '.js') AND !stristr($temp, '.css') AND !stristr($temp, '.htm') AND !stristr($temp, '.html'))

{ if(substr($temp, -1) != '/') { $temp = trim($temp).'/'.$DEFAULTS->PAGE_DEFAULTNAME; $temp.= $DEFAULTS->PAGE_EXTENSION; } else { $temp = trim($temp).$DEFAULTS->PAGE_DEFAULTNAME; $temp.= $DEFAULTS->PAGE_EXTENSION; } }

In file class.cache_phpcms.php function CheckFile() take file name and if file exist read it and print file contents.

$PfadUndDatei = $this->GetFile();

$this->name = basename($PfadUndDatei); $this->path = dirname($PfadUndDatei); ...

// there's no contentfile with this name -> errorpage or errormessage if(!file_exists($DEFAULTS->DOCUMENT_ROOT.$this->path.'/'.$this->name)) { $errorname = basename($DEFAULTS->ERROR_PAGE_404); $errorpath = dirname($DEFAULTS->ERROR_PAGE_404); ... ...

$fsize = filesize($DEFAULTS->DOCUMENT_ROOT.$this->path.'/'.$this->name); $fd = fopen($DEFAULTS->DOCUMENT_ROOT.$this->path.'/'.$this->name, "rb"); $contents = fread($fd, $fsize); $contents = trim($contents); $fsize = strlen($contents); fclose($fd); ...

echo $contents;



default.php includes admin password and other defaults:

class defaults { function defaults() { global $PHP, $PHPCMS; if(!defined("DEFAULTS")) { define("DEFAULTS", TRUE); }

            $this->PASS = 'YourPasswordHere';


In windows we can read any local file:



Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.

Contact: research [at] dsec [dot] ru (in Russian)


Digital Security Research Group