← Advisories

Pacer Edition CMS 2.1 (l param) Local File Inclusion Vulnerability

Medium

Advisory ID

ZSL-2011-5019

Release Date

10 June 2011

Vendor

The Pacer Edition - http://www.thepaceredition.com

Affected Version

RC 2.1 (SVN: 867)

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41

Summary

The 'Pacer Edition' is a Content Management System(CMS) written using PHP 5.2.9 as a minimum requirement. The Pacer Edition CMS was based from Website baker core and has been completely redesigned with a whole new look and feel along with many new advanced features to allow you to build sites exactly how you want and make them, 100% yours!

Description

Pacer Edition CMS suffers from a local file inlcusion vulnerability when input passed thru the 'l' parameter to admin/login/forgot/index.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

/admin/login/forgot/index.php
----------------
59: $lang_id = ((isset($_GET['l'])) ? $_GET['l'] : '');
60: if ($lang_id == '') $lang_id = (LANGUAGE) ? LANGUAGE : (DEFAULT_LANGUAGE) ? DEFAULT_LANGUAGE : 'EN';
61: if (!file_exists(PE_PATH.'/languages/'.$lang_id.'.php')) $lang_id = 'EN';
62: require (PE_PATH.'/languages/'.$lang_id.'.php');

Proof of Concept

pacercms_lfi.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.exploit-db.com/exploits/17379/

[2]http://packetstormsecurity.org/files/102162

[3]http://xforce.iss.net/xforce/xfdb/67973

[4]http://www.chnhack.com/Security/2011/0611/34690.html

[5]http://www.securityfocus.com/bid/48222

Changelog

10.06.2011Initial release

11.06.2011Added reference [3]

12.06.2011Added reference [4]

13.06.2011Added reference [5]