[VIM] pecio CMS v2.0.5 Multiple Remote File Inclusion Vulnerabilities
George A. Theall
theall at tenable.com
Fri Aug 27 13:41:08 CDT 2010
Exploit DB 14815 / Bugtraq 42806 concern an advisory from eidelweiss
about multiple remote file inclusion vulnerabilities in something
called pecio CMS. Yet if you look at the code quoted in the advisory,
things look suspicious:
----- snip, snip, snip -----
-=[ Vuln c0de ]=-
<?php include('pec_templates/' . $pecio->get('template')-
>get_directory_name() . '/header.php'); ?>
<?php include('pec_templates/' . $pecio->get('template')-
>get_directory_name() . '/footer.php'); ?>
-=[ p0c ]=-
http://sample.site/pecio_path/pec_templates/nova-blue/post.php?template=
[inj3ct0r sh3ll]
http://sample.site/pecio_path/pec_templates/nova-blue/article.php?template=
[inj3ct0r sh3ll]
http://sample.site/pecio_path/pec_templates/nova-blue/blog.php?template=
[inj3ct0r sh3ll]
http://sample.site/pecio_path/pec_templates/nova-blue/home.php?template=
[inj3ct0r sh3ll]
----- snip, snip, snip -----
And if you download the distribution file and look at the source, your
suspicions should be confirmed. For example, here are the *entire*
contents of pec_templates/nova-blue/blog.php:
----- snip, snip, snip -----
<?php include('pec_templates/' . $pecio->get('template')-
>get_directory_name() . '/header.php'); ?>
<?php include('pec_templates/' . $pecio->get('template')-
>get_directory_name() . '/blog-data.php'); ?>
<?php include('pec_templates/' . $pecio->get('template')-
>get_directory_name() . '/footer.php'); ?>
----- snip, snip, snip -----
That is, there's no way the PoCs in the advisory will work as specified.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list