Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:8775
HistoryJun 02, 2005 - 12:00 a.m.

[Full-disclosure] SEC-CONSULT SA20050602-1 :: Arbitrary File Inclusion in phpCMS 1.2.x

2005-06-0200:00:00
vulners.com
13
JSON

SEC-CONSULT Security Advisory 20050602-1

              title: Arbitrary File Inclusion in phpCMS 1.2.x
            program: phpCMS
 vulnerable version: 1.2.0, 1.2.1, 1.2.1pl1
           homepage: www.phpcms.de
              found: 2005-05-31
                 by: sk0L / SEC-CONSULT / www.sec-consult.com

=======================================================================

vendor description:

phpCMS is a content management system, which convinces in particular by
small
system requirements, high performance and above all its flexibility.

vulnerabilty overview:

a flaw in phpCMS makes it possible to include arbitrary files on the server.
as the "include" statement is called before any session checks occur,
this vuln
can be exploited without any prior authentication.

proof of concept:

the vulnerable include call resides in class.layout_phpcms.php:

if(isset($_GET['language']) && $_GET['language'] != '') {
include($PHPCMS_INCLUDEPATH.'/language.'.$_GET[language]);
[…]

so you are able to do something like:

http://vu1n.com/parser/parser.php?&phpcmsaction=FILEMANAGER&language=de/../../../../../../../etc/passwd

vulnerable versions:

according to Ignatius from the phpCMS Core Team, the vulnerable code
line was introduced in phpCMS 1.2.0. older versions are not affected by
this vulnerabity.

vendor status:

vendor notified: 2005-05-31
vendor response: immediately
patch available: 2005-06-01

the vulnerabilty has been adressed in phpCMS 1.2.1pl2. additionally,
patches for the affected versions have been made available by the vendor.

http://www.phpcms.de/download/

Bernhard Mueller / www.sec-consult.com /
SGT ::: dfa, tke, bfi, mei, flo, walter|bruder :::

~    ___   ___
~   |   |=|_.'   .'|   .'|   .'|=|`.     .'|
~   `.  |      .'  | .' .' .'  | |  `. .'  |
 ==== `.|=|`.  |   |=|.:   |   | |   | |   |  ======
~    ___  |  `.|   |   |'. `.  | |  .' |   |  ___
~    `._|=|___||___|   |_|   `.|=|.'   |___|=|_.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
JSON