LFI Vulnerability in 1024cms Admin Control Panel v1.1.0 Beta 

========================================================
1024cms Admin Control Panel v1.1.0 Beta (Master-cPanel Package) - 
Local File Include Vulnerability
========================================================
  
Software:             1024cms Admin Control Panel v1.1.0 Beta (master-cpanel package)
Vendor:                http://adf.ly/1C49N
Vuln Type:              Local File Include
Remote:                 Yes
Local:                  No
Discovered by:  QSecure and Demetris Papapetrou 
Website:                http://www.qsecure.com.cy
Discovered:             15/03/2011
Reported:               29/03/2001
Disclosed:
 
 VULNERABILITY DESCRIPTION:
==========================
The script "/index.php" is prone to a local file-include vulnerability because it fails 
to properly sanitize user-supplied input in the "processfile" parameter.

An attacker can exploit this vulnerability to obtain potentially sensitive information 
and execute arbitrary local scripts in the context of the webserver process. This 
may allow the attacker to compromise the application and the underlying computer; 
other attacks are also possible.


PoC Exploit:
============
/index.php?mode=login&processfile=../../../../../../etc/passwd

Comments

Post a Comment

Popular posts from this blog

iStealer Tutorial

Image
Before we start, I just wanted to say this, This is tutorial for people which have no knowledge on configuring a iStealer server! If you have no knowledge on how to configure a iStealer server please read on!! Also before we start we need to sign up for a free FTP service, I currently use http://www.drivehq.com so use that one, sign up and now lets start! Step 1 ( Obtaining iStealer ): Go to the following link: *Note: This file was uploaded by me, it is safe, If you don't believe me nor want to download it search for it on google. I have been using this for a while so I consider it safe. Download Link: http://adf.ly/7rdCS This application WILL be detected by your anti-virus. Of course online scanners detect it as infected.. it's a stealer you know..if you still believe this to be infected by me please do not download! Step 2: (Extracting) Right Click and extract "iStealer 3.0" Once extracted there should be two files. One folder called "Icon Pack" and one a
Read more

Beware Of Tab Napping: New Phishing Technique

I have recently wrote a post on all the techniques of phishing and how to detect these phishing techniques.You can read the post on phishing techniques by clicking here .As people were becoming more and more aware of these traditional phishing techniques and it was becoming difficult for the scammers to cheat people using these phishing techniques so they invented a new technique called “Tab Napping”.This is one of the most intelligent and wise methods of phishing and it not easily detected by a normal internet user until and unless he is aware of this phishing technique.
Read more

Sending RATs in Chat rooms[Social Engeering]

Ok Lets Start, so most people will know that yahoo Messenger has many chat rooms, and that you can do alot of things with them, such as sending files. Now, i must say, i have sent a ridiculous amount of RATs through yahoo chat rooms, and most have made connections. The people on certain chat rooms are desperate, and often do not have virus protection, or, in many cases will disable it for the 'pictures'. 1. If you do not have Yahoo Messenger, go to http://messenger.yahoo.com/ Download and install. 2. Set up a new account as a female (my name is "Amanda" online). 3. After your new account is set up, ensure that you have a RAT ready, and name it something sexy or dirty. e.g mine are named "me.nude" and "me.naked". 4. Now at the top left of the yahoo messenger screen, click on the drop down bar called "Messenger". 5. From there, go to yahoo chat, and then click "Join a Room" 6. Now, there should be a huge list of r
Read more