Vendor: http://www.phpwcms.de
Bugs: Path Disclosure, XSS, Local File Inclusion,
Remote Code Execution
Vulnerable Version: phpwcms 1.2.5-DEV (prior versions
also maybe affected)
Exploitation: Remote with browser
phpwcms is a web content management system optimized
for fast and easy setup on any standard web server.
phpwcms is perfect for professional, public and
private users.
–>>Path Disclosure<<–
Reason: direct access to include files that generates
php error with installation path information.
Several files are vulnerable in this case.
Example:
http://example.com/phpwcms/include/inc_lib/files.public-userroot.inc.php
http://example.com/phpwcms/include/inc_lib/files.private.additions.inc.php
–>>XSS<<–
Reason: when register globals is enable several
template files are vulnerable to xss.
Code Snippet:
/include/inc_tmpl/content/cnt6.inc.php //line#28
<?php echo $BL['be_cnt_plainhtml'] ?>
–>>Local File Inclusion<<–
Reason: Incorrect use of spaw script (external script)
and its configuration result in local file inclusion
when register globals is enable and gpc_magic_quotes
is Off.
Code Snippet:
/include/inc_ext/spaw/spaw_control.class.php
//lines:#15-20
if (preg_match("/:\/\//i", $spaw_root)) die ("can't
include external file");
include $spaw_root.'config/spaw_control.config.php';
include $spaw_root.'class/util.class.php';
include $spaw_root.'class/toolbars.class.php';
include $spaw_root.'class/lang.class.php';
–>>Remote Code Execution<<–
Reason: It is possible for an attacker to upload a
picture with php code as EXIF metadata content in his
post and then he can uses above vulnerability to
conduct remote code execution.
Vendor has been contacted but we are not aware of any
vendor supplied patch.
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com