Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: BOGUS: Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include

from [Mailinglists Address] Network Security [Permanent Link]
Subject: Re: BOGUS: Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include
Date: Tue, 30 Jan 2007 16:33:06 -0600 
<snip class="drivel">

file ;
index.php
sources/usercp.php
sources/admin.php

########################################################################

bugs ;

require_once("{$CONF['path']}/sources/misc/classes.php");


########################################################################
exp;
/atsphp-5.0.1/index.php?CONF[path]=evilcode?
/atsphp-5.0.1/sources/usercp.php?CONF[path]=evilcode?
/atsphp-5.0.1/sources/admin.php?CONF[path]=evilcode?

########################################################################
  

</snip>

in the index.php the $CONF['path'] variable is overwritten on line 20,
with line 26 being the require_once() call:

$CONF['path'] = '.';

This same line also is applied in the following file(s):

ssi.php
captcha.php
button.php
install/index.php
install/upgrade.php

in the source/user_cp.php file (incorrectly noted as usercp.php):
since the referenced require_once is enclosed in a class it is
impossible to instance this class and subsequently call the
require_once() on line 29.

in the source/admin.php file:
the same applies to this file as the require_once() are encapsulated
within a class that can not be instanced.

Tom Walsh
Express Web Systems, Inc.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ MDKSA-2007:030 ] - Updated bind packages fix DoS vulnerabilities, security
Next by Date:  [Full-disclosure] 2007 Security OPUS CFP: Closed (Agenda included), Sharkey
Previous by Thread:  Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include, trzindan
Next by Thread:  Re: Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include, Casey Marshall
Indexes:  [Date] [Thread] [Top] [All Lists]