[VIM] uncertain: FCMS (Family Connections) code execution
Steven M. Christey
coley at mitre.org
Tue Aug 14 23:30:19 UTC 2007
Researcher: ilker kandemir
Ref: CVE-2007-4338
BUGTRAQ FCMS (Family Connections) <= 0.1.1 Remote Command Execution
Exploit // www.MefistoLabs.com
http://www.securityfocus.com/archive/1/archive/1/476142/100/0/threaded
There's a dispute here:
http://www.securityfocus.com/archive/1/archive/1/476293/100/0/threaded
that points to an "original exploit" for an entirely different product
at http://www.milw0rm.com/exploits/4145, so maybe the dispute is about
copying someone else's exploit without credit.
Looking at the source code for index.php in version 0.6, we have:
if (isset($_COOKIE['fcms_login_id'])) {
$_SESSION['login_id'] = $_COOKIE['fcms_login_id'];
}
but, except for a mysql_query() that might have an SQL injection, the
code only does a meta-refresh to home.php.
There isn't any other code in index.php; the rest are function
definitions.
Now, I don't know how PHP saves and passes session information back to
the user across requests, but maybe this meta-refresh is enough for
deeper access?
Any ideas?
- Steve
More information about the VIM
mailing list