Bugtraq mailing list archives
LFI in DZCP
From: advisory () htbridge ch
Date: Wed, 27 Oct 2010 12:46:57 +0200 (CEST)
Vulnerability ID: HTB22656 Reference: http://www.htbridge.ch/advisory/lfi_in_dzcp.html Product: DZCP Vendor: dzcp.de ( http://www.dzcp.de ) Vulnerable Version: 1.5.4 Vendor Notification: 13 October 2010 Vulnerability Type: Local File Inclusion Status: Fixed by Vendor Risk level: High Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: The vulnerability exists due to failure in the "/index.php" script to properly sanitize user-supplied input in [prefix]_language variable from cookie. The following PoC is available: Cookie: [prefix]_language=../../../1; File must exist. Solution: Upgrade to the most recent version
Current thread:
- LFI in DZCP advisory (Oct 27)