<<< Date Index >>>     <<< Thread Index >>>

Re: Morcego CMS <= 0.9.6 Remote File Inclue Vulnerability

It's a Fake:

There's the line: 


[Line 827] include_once($fichero);


It isn't posible to change the value of this variable with a GET parameter:


function cargar_includes(){
     
     $includes = explode(';', $this -> get_var('includes'));
     foreach($includes as $include){
         $fichero = $this -> ruta_conf . $include ;
         if (!empty($include) && file_exists($fichero)){
             include_once($fichero);
             }
         }
    
     }

In other line

class cls_morcegoCMS { 
[...]
function includePHP( $cadena ) {
        // quitaremos las / ó \ de $cadena , solo se permitirán archivos que 
esté en includes
        $str_out = '';
        $cadena = str_replace( "\\", "/", $cadena );
        $cadena = ( strrpos( $cadena, '/') === false ) ? $cadena : substr( 
$cadena, - ( strrpos ( $cadena, '/') + 2 ));
        $fichero = dirname(__FILE__) . '/../' . $cadena ;
        if (file_exists( $fichero  )){
            @ob_start();
            @include_once( $fichero);
            $str_out = @ob_get_contents();
            @ob_end_clean();
        }
        return $str_out;
    }
[...]

I think it's to easy publish a false Vulnerability based on a old and unknow 
script.