Lemon CMS 'browser.php' Local File Include Vulnerability

Bugtraq ID:	30285
Class:	Input Validation Error
CVE:	CVE-2008-3312
Remote:	Yes
Local:	No
Published:	Jul 18 2008 12:00AM
Updated:	May 07 2015 05:27PM
Credit:	Ciph3r
Vulnerable:	Lemon CMS Lemon CMS 1.10
Not Vulnerable:	Lemon CMS Lemon CMS 2.0

Lemon CMS 'browser.php' Local File Include Vulnerability

Lemon CMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.

Lemon CMS 1.10 is vulnerable; other versions may also be affected.

Lemon CMS 'browser.php' Local File Include Vulnerability

Attackers can exploit this issue via a browser.

The following example URI is available:

http://www.example.com/lemon_includes/FCKeditor/editor/filemanager/browser/browser.php?dir=../../../../../../../../../../etc/passwd

Lemon CMS 'browser.php' Local File Include Vulnerability

Solution:
The vendor has released a fix. Please see the references for details.


Lemon CMS Lemon CMS 1.10

• Lemon CMS browser.php
  http://downloads.sourceforge.net/lemon-cms/browser.php?modtime=1217756 065&big_mirror=0

Lemon CMS 'browser.php' Local File Include Vulnerability

References:

• Lemon CMS Homepage (Lemon CMS)