← Advisories

u5CMS 3.9.3 (thumb.php) Local File Inclusion Vulnerability

Medium
Advisory ID
ZSL-2015-5224
Release Date
09 February 2015
Vendor
Stefan P. Minder - http://www.yuba.ch
Affected Version
3.9.3 and 3.9.2
CVE
N/A
Tested On
Apache 2.4.10 (Win32), PHP 5.6.3, MySQL 5.6.21
Summary

u5CMS is a little, handy Content Management System for medium-sized websites, conference / congress / submission administration, review processes, personalized serial mails, PayPal payments and online surveys based on PHP and MySQL and Apache.

Description

u5CMS suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'f' parameter to thumb.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with their absolute path and with directory traversal attacks.

Proof of Concept
u5cms_lfi.txtTXT
Disclosure Timeline
29.12.2014Vulnerability discovered.
04.02.2015Contact with the vendor.
04.02.2015Vendor replies asking more details.
05.02.2015Sent details to the vendor.
06.02.2015Vendor releases version 3.9.4 to address these issues.
09.02.2015Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://yuba.ch/index.php?c=u5cms&l=en
[2]http://www.exploit-db.com/exploits/36028
[3]http://xforce.iss.net/xforce/xfdb/100774
[4]http://cxsecurity.com/issue/WLB-2015020036
[5]http://packetstormsecurity.com/files/130310
[6]http://osvdb.org/show/osvdb/118106
Changelog
09.02.2015Initial release
11.02.2015Added reference [2], [3], [4], [5] and [6]