BugReport.ir - RunCMS <= 1.6 disclaimer.php Remote File Overwrite Exploit

########################## WwW.BugReport.ir ###########################################
#
#      AmnPardaz Security Research & Penetration Testing Group
#
# Title: RunCms Multiple Vulnerabilities
# Vendor: http://www.runcms.org/
# Bugs: Local File Inclusion, Modules Authorization Weakness
# Vulnerable Version: RunCMS 1.6 Halloween, 1.5.x (prior versions also may be affected)
# Exploitation: Remote with browser
# Exploit: Available
# Fix Available: No!
#######################################################################################

Description:
Modules Authorization Weakness (Remote Code Execution)

There is a logical weakness in the Structure of Modules Authorization mechanism.
When a module is not installed by the site admin, anyone (groups of Anonymous Users) can access module’s admin area!
The most dangerous module in this case is newbb_plus which provide a form to overwrite disclaimer.php!
Form address example: http://localhost/runcms_1.6/modules/newbb_plus/admin/forum_config.php
Disclaimer address example: http://localhost/runcms_1.6/modules/newbb_plus/cache/disclaimer.php