It's a Fake:
There's the line:
[Line 827] include_once($fichero);
It isn't posible to change the value of this variable with a GET parameter:
function cargar_includes(){
$includes = explode(';', $this -> get_var('includes'));
foreach($includes as $include){
$fichero = $this -> ruta_conf . $include ;
if (!empty($include) && file_exists($fichero)){
include_once($fichero);
}
}
}
In other line
class cls_morcegoCMS {
[...]
function includePHP( $cadena ) {
// quitaremos las / ó \ de $cadena , solo se permitirán archivos que esté en includes
$str_out = '';
$cadena = str_replace( "\\", "/", $cadena );
$cadena = ( strrpos( $cadena, '/') === false ) ? $cadena : substr( $cadena, - ( strrpos ( $cadena, '/') + 2 ));
$fichero = dirname(__FILE__) . '/../' . $cadena ;
if (file_exists( $fichero )){
@ob_start();
@include_once( $fichero);
$str_out = @ob_get_contents();
@ob_end_clean();
}
return $str_out;
}
[...]
I think it's to easy publish a false Vulnerability based on a old and unknow script.
