Security Alerts

Secunia

Community Login

VIM Login

Partner Login

Overview

Advisories

Research

Forums

Create Profile

Our Commitment

Database

Advisories by Product

Advisories by Vendor

Terminology

Report Vulnerability

Insecure Library Loading

Secunia Advisory SA39185

DynPG CMS "DefineRootToTool" File Inclusion Vulnerability

Secunia Advisory

SA39185

Get alerted and manage the vulnerability life cycle

Release Date

2010-04-01

Last Update

2010-04-21

Popularity

3,669 views

Comments

7 comments

Criticality level

Highly critical

Impact

Exposure of system information
Exposure of sensitive information
System access

Where

From remote

Authentication level

Available in Customer Area

Report reliability

Available in Customer Area

Solution Status

Vendor Patch

Systems affected

Available in Customer Area

Approve distribution

Available in Customer Area

Software:

DynPG CMS 4.x

Secunia CVSS Score

Available in Customer Area

CVE Reference(s)

CVE-2010-1299 CVSS available in Customer Area

Description

A vulnerability has been discovered in DynPG CMS, which can be exploited by malicious people to disclose potentially sensitive information or compromise a vulnerable system.

Input passed to the "DefineRootToTool" parameter in counter.php (when "inc" is set to any value) is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from remote and local resources via directory traversal attacks and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is disabled and "register_globals" is enabled.

The vulnerability is confirmed in version 4.1.0. Other versions may also be affected.

Solution
Update to version 4.1.1 or later.

Provided and/or discovered by
eidelweiss

Changelog
Further details available in Customer Area

Original Advisory
eidelweiss:
http://packetstormsecurity.org/1004-exploits/dynpgcms-rfi.txt

DynPG:
http://www.dynpg.org/cms-freeware.php?t=DynPG-Update+4.1.1+noch+einfacher+und+sicherer!&read_article=169

Deep Links
Links available in Customer Area

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: DynPG CMS "DefineRootToTool" File Inclusion Vulnerability

User

Message

crisies

RE: DynPG CMS "DefineRootToTool" File Inclusion Vulnerability

2nd Apr, 2010 00:35

Score: 6
Posts: 2
User Since: 1st Apr 2010
System Score: N/A
Location: PY
Last edited on 2nd Apr, 2010 00:35

Patched Update- and Fullversion-packages (4.1.1) available from www.dynpg.org.

Thnx
chris.w.

Was this reply relevant?

-0

eidelweiss	RE: DynPG CMS "DefineRootToTool" File Inclusion Vulnerability	[+]
This reply has been minimised due to a negative Relevancy Score.

crisies

RE: DynPG CMS "DefineRootToTool" File Inclusion Vulnerability

2nd Apr, 2010 14:34

Score: 6
Posts: 2
User Since: 1st Apr 2010
System Score: N/A
Location: PY
Last edited on 2nd Apr, 2010 14:34

The vars from the includes/requiered pathes are removed or sanitised and checked before used.

In which file do u still see "any vulnerability"?

regards,
chris.w.

Was this reply relevant?

-0

eidelweiss	RE: DynPG CMS "DefineRootToTool" File Inclusion Vulnerability	[+]
This reply has been minimised due to a negative Relevancy Score.

eidelweiss	RE: DynPG CMS "DefineRootToTool" File Inclusion Vulnerability	[+]
This reply has been minimised due to a negative Relevancy Score.

eidelweiss	RE: DynPG CMS "DefineRootToTool" File Inclusion Vulnerability	[+]
This reply has been minimised due to a negative Relevancy Score.

zeroc0de	RE: DynPG CMS "DefineRootToTool" File Inclusion Vulnerability	[+]
This reply has been minimised due to a negative Relevancy Score.

Secunia Advisory SA39185

DynPG CMS "DefineRootToTool" File Inclusion Vulnerability

Do you have additional information related to this advisory?

You must be logged in to post a comment.

Secunia Customer Login

Not a customer already?