Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12764
HistoryMay 23, 2006 - 12:00 a.m.

[KAPDA::#43] - phpwcms multiple vulnerabilities

2006-05-2300:00:00
vulners.com
27

Vendor: http://www.phpwcms.de
Bugs: Path Disclosure, XSS, Local File Inclusion,
Remote Code Execution
Vulnerable Version: phpwcms 1.2.5-DEV (prior versions
also maybe affected)
Exploitation: Remote with browser

Description:

phpwcms is a web content management system optimized
for fast and easy setup on any standard web server.
phpwcms is perfect for professional, public and
private users.

Vulnerability:

–>>Path Disclosure<<–
Reason: direct access to include files that generates
php error with installation path information.
Several files are vulnerable in this case.
Example:
http://example.com/phpwcms/include/inc_lib/files.public-userroot.inc.php
http://example.com/phpwcms/include/inc_lib/files.private.additions.inc.php

–>>XSS<<–
Reason: when register globals is enable several
template files are vulnerable to xss.

Example:
http://localhost/php/phpwcms/include/inc_tmpl/content/cnt6.inc.php?BL[be_cnt_plainhtml]=&lt;script&gt;alert&#40;document.cookie&#41;&lt;/script&gt;

Code Snippet:
/include/inc_tmpl/content/cnt6.inc.php //line#28
<?php echo $BL['be_cnt_plainhtml'] ?>

–>>Local File Inclusion<<–
Reason: Incorrect use of spaw script (external script)
and its configuration result in local file inclusion
when register globals is enable and gpc_magic_quotes
is Off.

http://localhost/php/phpwcms/include/inc_ext/spaw/spaw_control.class.php?spaw_root=../../../../etc/passwd&#37;00

Code Snippet:
/include/inc_ext/spaw/spaw_control.class.php
//lines:#15-20

if (preg_match("/:\/\//i", $spaw_root)) die ("can't
include external file");

include $spaw_root.'config/spaw_control.config.php';
include $spaw_root.'class/util.class.php';
include $spaw_root.'class/toolbars.class.php';
include $spaw_root.'class/lang.class.php';

–>>Remote Code Execution<<–
Reason: It is possible for an attacker to upload a
picture with php code as EXIF metadata content in his
post and then he can uses above vulnerability to
conduct remote code execution.

Example:
http://example.com/phpwcms/include/inc_ext/spaw/spaw_control.class.php?spaw_root=../../../picture/upload/shell.jpg&#37;00

Solution:

Vendor has been contacted but we are not aware of any
vendor supplied patch.

Original Advisories:

http://www.kapda.ir/advisory-331.html
IN Farsi:http://irannetjob.com/
Credit:

Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]


Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com