phpwcms multiple vulnerabilities

Risk: Medium
Local: No
Remote: Yes

Vendor: Bugs: Path Disclosure, XSS, Local File Inclusion, Remote Code Execution Vulnerable Version: phpwcms 1.2.5-DEV (prior versions also maybe affected) Exploitation: Remote with browser Description: -------------------- phpwcms is a web content management system optimized for fast and easy setup on any standard web server. phpwcms is perfect for professional, public and private users. Vulnerability: -------------------- -->>Path Disclosure<<-- Reason: direct access to include files that generates php error with installation path information. Several files are vulnerable in this case. Example: hp -->>XSS<<-- Reason: when register globals is enable several template files are vulnerable to xss. Example: http://localhost/php/phpwcms/include/inc_tmpl/content/[be _cnt_plainhtml]=<script>alert(document.cookie)</script> Code Snippet: /include/inc_tmpl/content/ //line#28 <?php echo $BL['be_cnt_plainhtml'] ?> -->>Local File Inclusion<<-- Reason: Incorrect use of spaw script (external script) and its configuration result in local file inclusion when register globals is enable and gpc_magic_quotes is Off. http://localhost/php/phpwcms/include/inc_ext/spaw/spaw_control.class.php ?spaw_root=../../../../etc/passwd%00 Code Snippet: /include/inc_ext/spaw/spaw_control.class.php //lines:#15-20 if (preg_match("/:///i", $spaw_root)) die ("can't include external file"); include $spaw_root.'config/spaw_control.config.php'; include $spaw_root.'class/util.class.php'; include $spaw_root.'class/toolbars.class.php'; include $spaw_root.'class/lang.class.php'; -->>Remote Code Execution<<-- Reason: It is possible for an attacker to upload a picture with php code as EXIF metadata content in his post and then he can uses above vulnerability to conduct remote code execution. Example: paw_root=../../../picture/upload/shell.jpg%00 Solution: -------------------- Vendor has been contacted but we are not aware of any vendor supplied patch. Original Advisories: -------------------- IN Farsi: Credit: -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top