1 ____________________ ___ ___ ________
2 \_ _____/\_ ___ \ / | \\_____ \
3 | __)_ / \ \// ~ \/ | \
4 | \\ \___\ Y / | \
5 /_______ / \______ /\___|_ /\_______ /
6 \/ \/ \/ \/ .OR.ID
7 ECHO_ADV_76$2007
8
9 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
10 [ECHO_ADV_76$2007] Company WebSite Builder PRO (INCLUDE_PATH) Remote File Inclusion Vulnerability
11 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
12
13 Author : Dedi Dwianto a.k.a the_day
14 Date Found : March, 15th 2007
15 Location : Indonesia, Jakarta
16 web : http://advisories.echo.or.id/adv/adv76−theday−2007.txt
17 Critical Lvl : Highly critical
18 Impact : System access
19 Where : From Remote
20 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
21
22 Affected software description:
23 ~~~~~~~~~~~~~~~~~~~~~~~
24
25 Application : Company WebSite Builder PRO ( CWB )
26 version : 1.9.8
27 URL : http://www.grafxsoftware.com/
28
29 This software makes it easy to build an e−commerce site that processes credit cards,
30 wire transfers. This is a great Content Management System that’s easy to install and use WITHOUT having
31 to FTP upload pages every time they need to be updated.
32 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
33
34 Vulnerability:
35 ~~~~~~~~~
36
37 − Invalid include function at comanda.php
38 −−−−−−−−−−−−−−−−−−−−−−−comanda.php−−−−−−−−−−−−
39
40 <?
41 ...
42 include($INCLUDE_LANGUAGE_PATH."$LANG.inc.php");
43 include($INCLUDE_PATH."connection.php");
44 include_once($INCLUDE_PATH."connection.php");
45 include_once($INCLUDE_PATH."cls_produs.php");
46 include_once($INCLUDE_PATH."cls_left_menu.php");
47 include_once($INCLUDE_PATH."cls_stire.php");
48 include_once($INCLUDE_PATH."cls_orders.php");
49 include_once($IN