-[*]+================================================================================+[*]- -[*]+ EZCMS <= 1.2 Multiple Remote Vulnerabilitys +[*]- -[*]+================================================================================+[*]- [*] Discovered By: t0pP8uZz [*] Discovered On: 19 MAY 2008 [*] Script Download: http://eztechhelp.com [*] DORK google/altavista: "Powered by EZCMS" [*] Vendor Has Not Been Notified! [*] DESCRIPTION: EZCMS (all versions prior to date) suffers from 2 remote vulnerabilitys. One of these being a BLIND Sql Injection in "index.php" and the "page" variable is injectable. see example below. The second one being a insecure filemanager, the filemanager is hidden away in admin, the devs probarly thought no one would find it.. but here i am telling you ;) see more below. [*] Blind SQL Injection: http://site.com/index.php?page=1 and 1=1 http://site.com/index.php?page=1 and 1=2 [*] Arbitrary Remote File Manager Access: http://site.com/ezcms/admin/filemanager/ [*] NOTE/TIP: no exploit coded for the blind injection, because no point due to you can get a easy shell through the file manager, althou if your curious, use SQLMap. (check sourceforge) the "File Manager" is a very easy to use bug, just browse to site.com/ezcms/admin/filemanager/ site.com being the actual site and you can upload/edit/delete/upload/move files/folders. [*] GREETZ: milw0rm.com, h4ck-y0u.org, CipherCrew ! [-] peace, t0pP8uZz -[*]+================================================================================+[*]- -[*]+ EZCMS <= 1.2 Multiple Remote Vulnerabilitys +[*]- -[*]+================================================================================+[*]-