Magtrb MyNews "basepath" File Inclusion Vulnerabilities


Description   kurdish hackers team has discovered multiple vulnerabilities in Magtrb MyNews, which can be exploited by malicious people to compromise a vulnerable system.
Input passed via the "basename" parameter to includes/tiny_mce/plugins/filemanager/classes/FileManager/FileSystems/ZipFileImpl.php, includes/tiny_mce/plugins/filemanager/classes/FileManager/FileManagerPlugin.php, includes/tiny_mce/plugins/filemanager/classes/FileSystems/RootFileImpl.php, includes/tiny_mce/plugins/imagemanager/classes/ImageManager/ImageManagerPlugin.php, and includes/tiny_mce/plugins/filemanager/classes/CorePlugin.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.
Successful exploitation requires that "register_globals" is enabled.
The vulnerabilities are confirmed in version 1.2. Other versions may also be affected.
     
Vulnerable Products   Vulnerable Software:
Magtrb MyNews 1.x
     
Solution   Edit the source code to ensure that input is properly verified.
     
CVE  
     
References   http://www.kurdteam.org/cc/viewtopic.php?p=234
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
HTTP Request Smuggling : HTTP command found in header
3.2.0
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
HTTP Request Smuggling : Content-Length and Transfer-Encoding: chunked fields in header
3.2.0
Directory traversal backward root folder
3.2.0
HTTP Request Smuggling : suspicious syntax using HTTP keyword
3.2.0
HTTP Request Smuggling : multiple Content-Length fields
3.2.0
Misc : Local File Inclusion - suspicious /etc/passwd found in URL
3.5.0
     


 
 
 
 
 Risk level 
High 

 Vulnerability First Public Report Date 
2011-09-30 

 Target Type 
Server 

 Possible exploit 
Remote