Bugtraq mailing list archives
Re: BOGUS: Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include
From: Mailinglists Address <mailinglist () expresshosting net>
Date: Tue, 30 Jan 2007 16:33:06 -0600
<snip class="drivel">
file ; index.php sources/usercp.php sources/admin.php ######################################################################## bugs ; require_once("{$CONF['path']}/sources/misc/classes.php"); ######################################################################## exp; /atsphp-5.0.1/index.php?CONF[path]=evilcode? /atsphp-5.0.1/sources/usercp.php?CONF[path]=evilcode? /atsphp-5.0.1/sources/admin.php?CONF[path]=evilcode? ########################################################################
</snip> in the index.php the $CONF['path'] variable is overwritten on line 20, with line 26 being the require_once() call: $CONF['path'] = '.'; This same line also is applied in the following file(s): ssi.php captcha.php button.php install/index.php install/upgrade.php in the source/user_cp.php file (incorrectly noted as usercp.php): since the referenced require_once is enclosed in a class it is impossible to instance this class and subsequently call the require_once() on line 29. in the source/admin.php file: the same applies to this file as the require_once() are encapsulated within a class that can not be instanced. Tom Walsh Express Web Systems, Inc.
Current thread:
- Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include trzindan (Jan 30)
- Re: BOGUS: Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include Mailinglists Address (Jan 30)
- Re: Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include Casey Marshall (Jan 31)