lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 21 May 2006 16:11:59 -0700 (PDT)
From: alireza hassani <trueend5@...oo.com>
To: bugtraq@...urityfocus.com
Subject: [KAPDA::#43] - phpwcms multiple vulnerabilities


Vendor: http://www.phpwcms.de
Bugs: Path Disclosure, XSS, Local File Inclusion,
Remote Code Execution
Vulnerable Version: phpwcms 1.2.5-DEV (prior versions
also maybe affected)
Exploitation: Remote with browser

Description:
--------------------
phpwcms is a web content management system optimized
for fast and easy setup on any standard web server.
phpwcms is perfect for professional, public and
private users.

Vulnerability:
--------------------
-->>Path Disclosure<<--
Reason: direct access to include files that generates
php error with installation path information.
Several files are vulnerable in this case.
Example:
http://example.com/phpwcms/include/inc_lib/files.public-userroot.inc.php
http://example.com/phpwcms/include/inc_lib/files.private.additions.inc.php

-->>XSS<<--
Reason: when register globals is enable several
template files are vulnerable to xss.

Example:
http://localhost/php/phpwcms/include/inc_tmpl/content/cnt6.inc.php?BL[be_cnt_plainhtml]=<script>alert(document.cookie)</script>

Code Snippet:
/include/inc_tmpl/content/cnt6.inc.php //line#28
<?php echo $BL['be_cnt_plainhtml'] ?>

-->>Local File Inclusion<<--
Reason: Incorrect use of spaw script (external script)
and its configuration result in local file inclusion
when register globals is enable and gpc_magic_quotes
is Off.

http://localhost/php/phpwcms/include/inc_ext/spaw/spaw_control.class.php?spaw_root=../../../../etc/passwd%00

Code Snippet:
/include/inc_ext/spaw/spaw_control.class.php
//lines:#15-20

if (preg_match("/:\/\//i", $spaw_root)) die ("can't
include external file");

include $spaw_root.'config/spaw_control.config.php';
include $spaw_root.'class/util.class.php';
include $spaw_root.'class/toolbars.class.php';
include $spaw_root.'class/lang.class.php';

-->>Remote Code Execution<<--
Reason: It is possible for an attacker to upload a
picture with php code as EXIF metadata content in his
post and then he can uses above vulnerability to
conduct remote code execution.

Example:
http://example.com/phpwcms/include/inc_ext/spaw/spaw_control.class.php?spaw_root=../../../picture/upload/shell.jpg%00

Solution:
--------------------
Vendor has been contacted but we are not aware of any
vendor supplied patch.
 
Original Advisories:
--------------------
http://www.kapda.ir/advisory-331.html
IN Farsi:http://irannetjob.com/
Credit:
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ