1 <?php
2
3 /*
4
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
5
CMS from Scratch <= 1.1.3 (fckeditor) Remote Shell Upload Exploit
6
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
7
8
author...: EgiX
9
mail.....: n0b0d13s[at]gmail[dot]com
10
11
link.[1].: http://cmsfromscratch.com/
12
link.[2].: http://cmsfromscratch.googlecode.com/files/cmsfs114b.tgz (tested package)
13
14
[−] vulnerable code in /cms/FCKeditor/editor/filemanager/connectors/php/config.php
15
16
27.
// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
17
28.
// WARNING: don’t just set "ConfigIsEnabled = true", you must be sure that only
18
29.
//
authenticated users can access this file or use some kind of session checking.
19
30.
$Config[’Enabled’] = true ; <======
20
31.
21
32.
$path = $_SERVER["REQUEST_URI"] ;
22
33.
$relativePathFromWebServerRoot = substr($path, 0, strpos($path, "/", 1) );
23
34.
// Coming out as /CMS, why???
24
35.
25
36.
26
37.
27
38.
// Path to user files relative to the document root.
28
39.
// This is what is inserted into the HTML markup
29
40.
$Config[’UserFilesPath’] = urldecode(rtrim(str_replace(’cms/FCKeditor/editor/filemanager/connectors/p
hp’, ’’, dirname($_SERVER[’SCRIPT_NAME’])), ’/’)) ;
30
41.
if ($Config[’UserFilesPath’] == ’’) $Config[’UserFilesPath’] = ’/’ ;
31
42.
32
43.
// Fill the following value it you prefer to specify the absolute path for the user files directory.
Useful if you are using a virtual directory, symbolic link or alias. Examples: ’C:\\MySite\\userfiles\\’ or ’/root/my
site/userfiles/’.
33
44.
// Attention: The above ’UserFilesPath’ must point to the same directory.
34
45.
// BH note: This is used for browsing the server.. should equate to the real path of the folder where
/cms/ is installed
35
46.
$Config[’UserFilesAbsolutePath’] = realpath(’../../../../../../’) ;
36
47.
37
48.
// Due to security issues with Apache modules, it is reccomended to leave the following setting enabl
ed.
38
49.
$Config[’ForceSingleExtension’] =