Bugtraq mailing list archives
Re: Plume CMS <= 1.1.10 [prepend.php] Remote File Include Vulnerability
From: Craig Morrison <craig () fishpalace org>
Date: Mon, 18 Sep 2006 22:43:26 -0400
D3nGeR () Gmail CoM wrote:
Vendor: Plume CMS 1.1.10 Found By : D3nGeR Scripit Site : http://plume-cms.net in file [prepend.php] ; include_once $_PX_config['manager_path'].'/inc/class.config.php' code http://site.com/[path]manager/frontinc/prepend.php?_PX_config[manager_path]=[shell code ]
You can't call prepend.php in that path directly, it's protected by: if (basename($_SERVER['SCRIPT_NAME']) == 'prepend.php') exit;In config.php $_PX_config[manager_path] is explicitly set.. And while not included in prepend.php, that file is included in others before access, so there is no vulnerability..
-- Craig Morrison =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= http://pse.2cah.com Controlling pseudoephedrine purchases. http://www.mtsprofessional.com/ A Win32 email server that works for You.
Current thread:
- Plume CMS <= 1.1.10 [prepend.php] Remote File Include Vulnerability D3nGeR (Sep 18)
- Re: Plume CMS <= 1.1.10 [prepend.php] Remote File Include Vulnerability Craig Morrison (Sep 19)